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DESCRIPTION 
ELLIPTIC CURVE SCALAR MULTIPLICATION METHOD, 



APPARATUS, AND STORAGE MEDIUM 



TECHNICAL FIELD 

The present invention relates to a security 
technique in a computer network, particularly to a 
cryptography processing execution method in an elliptic 
5 curve cryptosystem . 

BACKGROUND ART 

An elliptic curve cryptosystem is a type of a 
public key cryptosystem proposed by N. Koblitz, V.S. 
Miller. The public key cryptosystem includes informa- 

10 tion called a public key which may be opened to the 
public, and private information called a private key 
which has to be concealed. The public key is used to 
encrypt a given message or to verify signature, and the 
private key is used to decrypt the given message or to 

15 generate signature. The private key in the elliptic 
curve cryptosystem is carried by a scalar value. 
Moreover, security of the elliptic curve cryptosystem 
originates from difficulty in solving a discrete 
logarithm problem on an elliptic curve. The discrete 

20 logarithm problem on the elliptic curve is a problem of 
obtaining a scalar value d, when a certain point P on 
the elliptic curve and a scalar-multiplied point dP are 
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given. Here, the point on the elliptic curve refers to 
a set of numerals which satisfy a defining equation of 
the elliptic curve. For all points on the elliptic 
curve, an operation in which a virtual point called the 
5 point at infinity is used as an identity element, that 
is, addition on the elliptic curve is defined. More- 
over, particularly the addition of the same points on 
the elliptic curve is called doubling on the elliptic 
curve. The addition of two points on the elliptic 

10 curve is calculated as follows. A line drawn through 
two points intersects the elliptic curve in another 
point. A point which is symmetric with the intersected 
point with respect to an x-axis is set as a result of 
the addition. The doubling of the point on the 

15 elliptic curve is carried out as follows. When a 
tangent line in the point on the elliptic curve is 
drawn, the tangent line intersects the elliptic curve 
in another point. A point symmetric with the inter- 
sected point with respect to x-coordinate is set as a 

20 result of the doubling. A specified number of 

additions performed with respect to a certain point is 
referred to as scalar multiplication, a result of the 
multiplication is referred to as a scalar-multiplied 
point, and the number is referred to as a scalar value. 

25 With progress of information communication 

network, a cryptography technique is an indispensable 
element for concealment or authentication with respect 
to electronic information. There is a demand for 
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security of the cryptography technology and speed 
increase. The discrete logarithm problem on the 
elliptic curve is very difficult, and therefore a key 
length of the elliptic curve cryptosystem can be set to 
5 be relatively short as compared with an RSA crypto- 
system in which difficulty of integer factorization is 
a ground for security. Therefore, a relatively fast 
cryptography processing is possible. However, in a 
smart card whose processing ability is limited, a 
10 server in which a large amount of cryptography process- 
ing needs to be performed, and the like, the speed is 
not necessarily or satisfactorily high. Therefore, it 
is necessary to further increase the speed of the 
cryptography . 

15 An elliptic curve called a Weierstrass-f orm 

elliptic curve is usually used in the elliptic curve 
cryptosystem. In A. Miyaji, T. Ono, H. Cohen, 
Efficient elliptic curve exponentiation using mixed 
coordinates. Advances in Cryptology Proceedings of 

20 ASIACRYPT' 98, LNCS 1514, Springer-Verlag, (1988) pp.51- 
65, a scalar multiplication method using a window 
method and the mixed coordinates mainly including 
Jacobian coordinates in the Weierstrass-f orm elliptic 
curve is described as a fast scalar multiplication 

25 method. In this calculation method, coordinates of the 
scalar-multiplied point are not omitted and are exactly 
indicated. That is, all values of x-coordinate and y- 
coordinate are given in affine coordinates, and all 
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values of X-coordinate, Y-coordinate, and Z-coordinate 
are given in projective coordinates or Jacobian 
coordinates - 

On the other hand, it is described in P.L. 
5 Montgomery, Speeding the Pollard and Elliptic Curve 
Methods of Factorization, Math. Coitip. 48(1987) pp. 243- 
2 64 that an operation can be executed at a higher speed 
using a Montgomery- form elliptic curve BY^=X^+AK^+X (A, 
BGFp) rather than using the Weierstrass-f orm elliptic 

10 curve. This is because with use of the Montgomery- form 
elliptic curve in the scalar multiplication method for 
repeatedly calculating a set of points (2mP, (2m+l)P) 
or a set of points ((2m+l)P, (2m+2)P) from a set of 
points (mP, (m+l)P) on the elliptic curve depending 

15 upon the value of a specified bit of the scalar value, 
a calculation time of addition or doubling is reduced. 
A calculation speed of the scalar multiplication method 
is higher than that of a case in which the window 
method is used and the mixed coordinates mainly includ- 

20 ing Jacobian coordinates are used in the Weierstrass- 
form elliptic curve. However, a value of y-coordinate 
of the point on the elliptic curve is not calculated in 
this method. This does not matter in many cryptography 
processings because the y-coordinate is intrinsically 

25 unused. However, the value of y-coordinate is also 

necessary in order to execute some of the cryptography 
processings or to conform to standards in a complete 
form. 
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A case in which characteristics of a defined 
field of the elliptic curve are primes of 5 or more has 
been described above. On the other hand, for the 
elliptic curve defined on a finite field having 
5 characteristics of 2, a fast scalar multiplication 

method for giving a complete coordinate of the scalar- 
multiplied point is described in J. Lopez, R. Dahab, 
Fast Multiplication on Elliptic Curves over GF(2'^) 
without Precomputation, Cryptographies Hardware and 

10 Embedded Systems: Proceedings of CHES' 99, LNCS 1717, 
Springer-Verlag, (1999) pp. 316-327 . 

According to the conventional art, when the 
elliptic curve defined on the finite field with 
characteristics of 5 or more is used to constitute the 

15 elliptic curve cryptosystem, and the window method and 
mixed coordinates are used in the Weierstrass-f orm 
elliptic curve, the coordinate of the scalar-multiplied 
point can completely be calculated. However, the 
calculation cannot be performed as fast as the calcula- 

20 tion using the scalar multiplication method of the 

Montgomery- form elliptic curve. With the use of the 
scalar multiplication method in the Montgomery- form 
elliptic curve, the calculation can be performed at a 
higher speed than with use of the window method and 

25 mixed coordinates in the Weierstrass-f orm elliptic 

curve- However, it is impossible to completely give 
the coordinate of the scalar-multiplied point, that is, 
it is impossible to calculate the y-coordinate . 
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Therefore, when an attempt is made to speed the scalar 
multiplication method, the coordinate of the scalar- 
multiplied point cannot completely be given. When an 
attempt is made to completely give the coordinate of 
5 the scalar-multiplied point, a fast calculation cannot 
be achieved - 



DISCLOSURE OF INVENTION 

An object of the present invention is to 
provide a scalar multiplication method which can 

10 completely give a coordinate of a scalar-multiplied 

point at a high speed substantially equal to a speed of 
a scalar multiplication in a Montgomery-form elliptic 
curve in an elliptic curve defined on a finite field 
with characteristics of 5 or more. That is, the x- 

15 coordinate and y-coordinate can be calculated. 

As one means for achieving the object, 
according to the present invention, there is provided a 
scalar multiplication method for calculating a scalar- 
multiplied point from a scalar value and a point on an 

20 elliptic curve in the elliptic curve defined on a 

finite field with characteristics of 5 or more in an 
elliptic curve cryptosystem, the method comprising: a 
step of calculating partial information of the scalar- 
multiplied point; and a step of recovering a complete 

25 coordinate from the partial information of the scalar- 
multiplied point. 

Moreover, as one means for achieving the 
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object, there is provided a scalar multiplication 
method for calculating a scalar-multiplied point from a 
scalar value and a point on an elliptic curve in the 
elliptic curve defined on a finite field with 
5 characteristics of 5 or more in an elliptic curve 

cryptosystem, the method comprising: a step of calcu- 
lating partial information of the scalar-multiplied 
point; and a step of recovering a complete coordinate 
in affine coordinates from the partial information of 

10 the scalar-multiplied point. 

Furthermore, as one means for achieving the 
object, there is provided a scalar multiplication 
method for calculating a scalar-multiplied point from a 
scalar value and a point on an elliptic curve in the 

15 elliptic curve defined on a finite field with 

characteristics of 5 or more in an elliptic curve 
cryptosystem, the method comprising: a step of calcu- 
lating partial information of the scalar-multiplied 
point; and a step of recovering a complete coordinate 

20 in projective coordinates from the partial information 
of the scalar-multiplied point. 

Additionally, as one means for achieving the 
object, there is provided a scalar multiplication 
method for calculating a scalar-multiplied point from a 

25 scalar value and a point on a Montgomery-form elliptic 
curve in the Montgomery- form elliptic curve defined on 
a finite field with characteristics of 5 or more in an 
elliptic curve cryptosystem, the method comprising: a 
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step of calculating partial information of the scalar- 
multiplied point; and a step of recovering a complete 
coordinate from the partial information of the scalar- 
multiplied point. 
5 Moreover, as one means for achieving the 

object, there is provided a scalar multiplication 
method for calculating a scalar-multiplied point from a 
scalar value and a point on a Weierstrass-f orm elliptic 
curve in the Weierstrass-f orm elliptic curve defined on 

10 a finite field with characteristics of 5 or more in an 
elliptic curve cryptosystem, the method comprising: a 
step of calculating partial information of the scalar- 
multiplied point; and a step of recovering a complete 
coordinate from the partial information of the scalar- 

15 multiplied point - 

Furthermore, as one means for achieving the 
object, there is provided a scalar multiplication 
method for calculating a scalar-multiplied point from a 
scalar value and a point on a Montgomery- form elliptic 

20 curve in the Montgomery-form elliptic curve defined on 
a finite field with characteristics of 5 or more in an 
elliptic curve cryptosystem, the method comprising: a 
step of calculating partial information of the scalar- 
multiplied point; and a step of giving X-coordinate and 

25 Z-coordinate of the scalar-multiplied point given as 

the partial information of the scalar-multiplied point 
in projective coordinates and X-coordinate and Z- 
coordinate of a point obtained by adding the scalar- 
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multiplied point and the point on the Montgomery- form 
elliptic curve in the projective coordinates , and 
recovering a complete coordinate in affine coordinates. 

Additionally, as one means for achieving the 
5 object, there is provided a scalar multiplication 

method for calculating a scalar-multiplied point from a 
scalar value and a point on a Montgomery- form elliptic 
curve in the Montgomery- form elliptic curve defined on 
a finite field with characteristics of 5 or more in an 

10 elliptic curve cryptosystem, the method comprising: a 
step of calculating partial information of the scalar- 
multiplied point; and a step of giving X-coordinate and 
Z-coordinate of the scalar-multiplied point given as 
the partial information of the scalar-multiplied point 

15 in projective coordinates and X-coordinate and Z- 

coordinate of a point obtained by adding the scalar- 
multiplied point and the point on the Montgomery- form 
elliptic curve in the projective coordinates, and 
recovering a complete coordinate in the projective 

20 coordinates. 

Moreover, as one means for achieving the 
object, there is provided a scalar multiplication 
method for calculating a scalar-multiplied point from a 
scalar value and a point on a Montgomery-form elliptic 

25 curve in the Montgomery- form elliptic curve defined on 
a finite field with characteristics of 5 or more in an 
elliptic curve cryptosystem, the method comprising: a 
step of calculating partial information of the scalar- 
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multiplied point; and a step of giving X-coordinate and 
Z-coordinate of the scalar-multiplied point given as 
the partial information of the scalar-multiplied point 
in projective coordinates, X-coordinate and Z- 
5 coordinate of a point obtained by adding the scalar- 
multiplied point and the point on the Montgomery- form 
elliptic curve in the projective coordinates, and X- 
coordinate and Z-coordinate of a point obtained by 
subtracting the scalar-multiplied point and the point 

10 on the Montgomery- form elliptic curve in the projective 
coordinates, and recovering a complete coordinate in 
af f ine coordinates . 

Furthermore, as one means for achieving the 
object, there is provided a scalar multiplication 

15 method for calculating a scalar-multiplied point from a 
scalar value and a point on a Montgomery- form elliptic 
curve in the Montgomery- form elliptic curve defined on 
a finite field with characteristics of 5 or more in an 
elliptic curve cryptosys tern, the method comprising: a 

20 step of calculating partial information of the scalar- 
multiplied point; and a step of giving X-coordinate and 
Z-coordinate of the scalar-multiplied point given as 
the partial information of the scalar-multiplied point 
in projective coordinates, X-coordinate and Z- 

25 coordinate of a point obtained by adding the scalar- 
multiplied point and the point on the Montgomery- form 
elliptic curve in the projective coordinates, and X- 
coordinate and Z-coordinate of a point obtained by 
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subtracting the scalar-multiplied point and the point 
on the Montgomery- form elliptic curve in the projective 
coordinates, and recovering a complete coordinate in 
the projective coordinates. 
5 Additionally, as one means for achieving the 

object, there is provided a scalar multiplication 
method for calculating a scalar-multiplied point from a 
scalar value and a point on a Montgomery- form elliptic 
curve in the Montgomery-form elliptic curve defined on 

10 a finite field with characteristics of 5 or more in an 
elliptic curve cryptosystem, the method comprising: a 
step of calculating partial information of the scalar- 
multiplied point; and a step of giving x-coordinate of 
the scalar-multiplied point given as the partial 

15 information of the scalar-multiplied point in affine 

coordinates, x-coordinate of a point obtained by adding 
the scalar-multiplied point and the point on the 
Montgomery- form elliptic curve in the affine coordi- 
nates, and x-coordinate of a point obtained by 

20 subtracting the scalar-multiplied point and the point 
on the Montgomery- form elliptic curve in the affine 
coordinates, and recovering a complete coordinate in 
the affine coordinates. 

Moreover, as one means for achieving the 

25 object, there is provided a scalar multiplication 

method for calculating a scalar-multiplied point from a 
scalar value and a point on a Weierstrass-f orm elliptic 
curve in the Weierstrass-f orm elliptic curve defined on 
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a finite field with characteristics of 5 or more in an 
elliptic curve cryptosystem, the method comprising: a 
step of calculating partial information of the scalar- 
multiplied point; and a step of giving X-coordinate and 
5 Z-coordinate of the scalar-multiplied point given as 
the partial information of the scalar-multiplied point 
in projective coordinates, X-coordinate and Z- 
coordinate of a point obtained by adding the scalar- 
multiplied point and the point on the Weierstrass-f orm 
10 elliptic curve in the projective coordinates, and X- 
coordinate and Z-coordinate of a point obtained by 
subtracting the scalar-multiplied point and the point 
on the Weierstrass-form elliptic curve in the projec- 
tive coordinates, and recovering a complete coordinate 
15 in affine coordinates. 

Furthermore, as one means for achieving the 
object, there is provided a scalar multiplication 
method for calculating a scalar-multiplied point from a 
scalar value and a point on a Weierstrass-form elliptic 
20 curve in the Weierstrass-form elliptic curve defined on 
a finite field with characteristics of 5 or more in an 
elliptic curve cryptosystem, the method comprising: a 
step of calculating partial information of the scalar- 
multiplied point; and a step of giving X-coordinate and 
25 Z-coordinate of the scalar-multiplied point given as 

the partial information of the scalar-multiplied point 
in projective coordinates, X-coordinate and Z- 
coordinate of a point obtained by adding the scalar- 
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multiplied point and the point on the Weierstrass-f orm 
elliptic curve in the projective coordinates, and X- 
coordinate and Z-coordinate of a point obtained by 
subtracting the scalar-multiplied point and the point 
5 on the Weierstrass-f orm elliptic curve in the projec- 
tive coordinates, and recovering a complete coordinate 
in the projective coordinates. 

Additionally, as one means for achieving the 
object, there is provided a scalar multiplication 

10 method for calculating a scalar-multiplied point from a 
scalar value and a point on a Weierstrass-f orm elliptic 
curve in the Weierstrass-f orm elliptic curve defined on 
a finite field with characteristics of 5 or more in an 
elliptic curve cryptosystem, the method comprising: a 

15 step of calculating partial information of the scalar- 
multiplied point; and a step of giving x-coordinate of 
the scalar-multiplied point given as the partial 
information of the scalar-multiplied point in affine 
coordinates, x-coordinate of a point obtained by adding 

20 the scalar-multiplied point and the point on the 

Weierstrass-form elliptic curve in the affine coordi- 
nates, and x-coordinate of a point obtained by 
subtracting the scalar-multiplied point and the point 
on the Weierstrass-form elliptic curve in the affine 

25 coordinates, and recovering a complete coordinate in 
the affine coordinates. 

Moreover, as one means for achieving the 
object, there is provided a scalar multiplication 



method for calculating a scalar-multiplied point from a 
scalar value and a point on a Weierstrass-f orm elliptic 
curve in the Weierstrass-f orm elliptic curve defined on 
a finite field with characteristics of 5 or more in an 
5 elliptic curve cryptosystem, the method comprising: a 
step of transforming the Weierstrass-f orm elliptic 
curve to a Montgomery- form elliptic curve; a step of 
calculating partial information of the scalar- 
multiplied point in the Montgomery- form elliptic curve; 

10 and a step of recovering a complete coordinate in the 
Weierstrass-form elliptic curve from the partial 
information of the scalar-multiplied point in the 
Montgomery- form elliptic curve. 

Furthermore, as one means for achieving the 

15 object, there is provided a scalar multiplication 

method for calculating a scalar-multiplied point from a 
scalar value and a point on a Weierstrass-form elliptic 
curve in the Weierstrass-form elliptic curve defined on 
a finite field with characteristics of 5 or more in an 

20 elliptic curve cryptosystem, the method comprising: a 
step of transforming the Weierstrass-form elliptic 
curve to a Montgomery- form elliptic curve; a step of 
calculating partial information of the scalar- 
multiplied point in the Montgomery- form elliptic curve; 

25 a step of recovering a complete coordinate in the 
Montgomery- form elliptic curve from the partial 
information of the scalar-multiplied point in the 
Montgomery- form elliptic curve; and a step of calcu- 
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lating the scalar-multiplied point in the Weierstrass- 
form elliptic curve from the scalar-multiplied point in 
which the complete coordinate is recovered in the 
Montgomery-form elliptic curve. 
5 Additionally, as one means for achieving the 

object, there is provided a scalar multiplication 
method for calculating a scalar-multiplied point from a 
scalar value and a point on a Weierstrass-f orm elliptic 
curve in the Weierstrass-f orm elliptic curve defined on 

10 a finite field with characteristics of 5 or more in an 
elliptic curve cryptosystem, the method comprising: a 
step of transforming the Weierstrass-f orm elliptic 
curve to a Montgomery- form elliptic curve; a step of 
calculating partial information of the scalar- 

15 multiplied point in the Montgomery-form elliptic curve; 
and a step of giving X-coordinate and Z-coordinate of 
the scalar-multiplied point given as the partial 
information of the scalar-multiplied point in the 
Montgomery- form elliptic curve in projective coordi- 

20 nates in the Montgomery- form elliptic curve, and X- 
coordinate and Z-coordinate of a point obtained by 
adding the scalar-multiplied point and the point on the 
Montgomery-form elliptic curve in the projective 
coordinates, and recovering a complete coordinate in 

25 affine coordinates in the Weierstrass-f orm elliptic 
curve . 

Moreover, as one means for achieving the 
object, there is provided a scalar multiplication 
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method for calculating a scalar-multiplied point from a 
scalar value and a point on a Weierstrass~f orm elliptic 
curve in the Weierstrass-f orm elliptic curve defined on 
a finite field with characteristics of 5 or more in an 
5 elliptic curve cryptosystem, the method comprising: a 
step of transforming the Weierstrass-f orm elliptic 
curve to a Montgomery- form elliptic curve; a step of 
calculating partial information of the scalar- 
multiplied point in the Montgomery-form elliptic curve; 

10 and a step of giving X-coordinate and Z-coordinate of 
the scalar-multiplied point given as the partial 
information of the scalar-multiplied point in the 
Montgomery-form elliptic curve in projective coordi- 
nates in the Montgomery-form elliptic curve, and X- 

15 coordinate and Z-coordinate of a point obtained by 

adding the scalar-multiplied point and the point on the 
Montgomery- form elliptic curve in the projective 
coordinates, and recovering a complete coordinate in 
the projective coordinates in the Weierstrass-f orm 

20 elliptic curve. 

Furthermore, as one means for achieving the 
object, there is provided a scalar multiplication 
method for calculating a scalar-multiplied point from a 
scalar value and a point on a Weierstrass-f orm elliptic 

25 curve in the Weierstrass-f orm elliptic curve defined on 
a finite field with characteristics of 5 or more in an 
elliptic curve cryptosystem, the method comprising: a 
step of transforming the Weierstrass-f orm elliptic 
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curve to a Montgomery- form elliptic curve; a step of 
calculating partial information of the scalar- 
multiplied point in the Montgomery- form elliptic curve; 
and a step of giving X-coordinate and Z-coordinate of 
5 the scalar-multiplied point given as the partial 
information of the scalar-multiplied point in the 
Montgomery- form elliptic curve in projective coordi- 
nates in the Montgomery- form elliptic curve, X- 
coordinate and Z-coordinate of a point obtained by 

10 adding the scalar-multiplied point and the point on the 
Montgomery- form elliptic curve in the projective 
coordinates, and X-coordinate and Z-coordinate of a 
point obtained by subtracting the scalar-multiplied 
point and the point on the Montgomery- form elliptic 

15 curve in the projective coordinates, and recovering a 
complete coordinate in affine coordinates in the 
Weierstrass-f orm elliptic curve. 

Additionally, according to the present 
invention, there is provided a scalar multiplication 

20 method for calculating a scalar-multiplied point from a 
scalar value and a point on a Weierstrass-f orm elliptic 
curve in the Weierstrass-f orm elliptic curve defined on 
a finite field with characteristics of 5 or more in an 
elliptic curve cryptosystem, the method comprising: a 

25 step of transforming the Weierstrass-f orm elliptic 

curve to a Montgomery-form elliptic curve; a step of 
calculating partial information of the scalar- 
multiplied point in the Montgomery- form elliptic curve; 
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and a step of giving X-coordinate and Z-coordinate of 
the scalar-multiplied point given as the partial 
information of the scalar-multiplied point in the 
Montgomery- form elliptic curve in projective coordi- 
5 nates in the Montgomery- form elliptic curve, X- 

coordinate and Z-coordinate of a point obtained by 
adding the scalar-multiplied point and the point on the 
Montgomery- form elliptic curve in the projective 
coordinates, and X-coordinate and Z-coordinate of a 

10 point obtained by subtracting the scalar-multiplied 
point and the point on the Montgomery- form elliptic 
curve in the projective coordinates, and recovering a 
complete coordinate in the projective coordinates in 
the Weierstrass-f orm elliptic curve. 

15 Moreover, as one means for achieving the 

object, there is provided a scalar multiplication 
method for calculating a scalar-multiplied point from a 
scalar value and a point on a Weierstrass-f orm elliptic 
curve in the Weierstrass-f orm elliptic curve defined on 

20 a finite field with characteristics of 5 or more in an 
elliptic curve cryptosystem, the method comprising: a 
step of transforming the Weierstrass-f orm elliptic 
curve to a Montgomery- form elliptic curve; a step of 
calculating partial information of the scalar- 

25 multiplied point in the Montgomery- form elliptic curve; 
and a step of giving x-coordinate of the scalar- 
multiplied point given as the partial information of 
the scalar-multiplied point in the Montgomery-form 
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elliptic curve in affine coordinates in the Montgomery- 
form elliptic curve, x-coordinate of a point obtained 
by adding the scalar-multiplied point and the point on 
the Montgomery- form elliptic curve in the affine 
5 coordinates, and x-coordinate of a point obtained by 
subtracting the scalar-multiplied point and the point 
on the Montgomery- form elliptic curve in the affine 
coordinates, and recovering a complete coordinate in 
the affine coordinates in the Weierstrass-f orm elliptic 
10 curve. 

BRIEF DESCRIPTION OF DRAWINGS 

FIG. 1 is a constitution diagram of an 

cryptography processing system of the present inven- 
tion - 

15 FIG. 2 is a diagram showing a flow of a 

processing in a scalar multiplication method and 
apparatus according to an embodiment of the present 
invention . 

FIG. 3 is a sequence diagram showing a flow 
20 of a processing in the cryptography processing system 
of FIG. 1. 

FIG. 4 is a flowchart showing a fast scalar 
multiplication method in the scalar multiplication 
method according to first, second, fourteenth, and 
25 fifteenth embodiments of the present invention . 

FIG. 5 is a flowchart showing the fast scalar 
multiplication method in the scalar multiplication 
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method according to third and fourth embodiments of the 
present invention . 

FIG. 6 is a flowchart showing the fast scalar 
multiplication method in the scalar multiplication 
5 method according to a fifth embodiment of the present 
invention . 

FIG. 7 is a flowchart showing the fast scalar 
multiplication method in the scalar multiplication 
method according to sixth, seventh, and eighth embodi- 

10 ments of the present invention. 

FIG. 8 is a flowchart showing the fast scalar 
multiplication method in the scalar multiplication 
method according to ninth, tenth, twentieth, and 
twenty-first embodiments of the present invention. 

15 FIG. 9 is a flowchart showing a coordinate 

recovering method in the scalar multiplication method 
according to the second embodiment of the present 
invention . 

FIG. 10 is a flowchart showing the fast 
20 scalar multiplication method in the scalar multipli- 
cation method according to eleventh and twelfth 
embodiments of the present invention. 

FIG. 11 is a flowchart showing the coordinate 
recovering method in the scalar multiplication method 
25 according to the first embodiment of the present 
invention. 

FIG. 12 is a flowchart showing the coordinate 
recovering method in the scalar multiplication method 
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according to the third embodiment of the present 
invention. 

FIG. 13 is a flowchart showing the coordinate 
recovering method in the scalar multiplication method 
5 according to the fourth embodiment of the present 
invention- 

FIG- 14 is a flowchart showing the coordinate 
recovering method in the scalar multiplication method 
according to the sixth embodiment of the present 
10 invention - 

FIG, 15 is a flowchart showing the coordinate 
recovering method in the scalar multiplication method 
according to the seventh embodiment of the present 
invention . 

15 FIG. 16 is a flowchart showing the coordinate 

recovering method in the scalar multiplication method 
according to the eighth embodiment of the present 
invention. 

FIG- 17 is a flowchart showing the coordinate 
20 recovering method in the scalar multiplication method 
according to the ninth embodiment of the present 
invention . 

FIG. 18 is a flowchart showing the coordinate 
recovering method in the scalar multiplication method 
25 according to the tenth embodiment of the present 
invention . 

FIG. 19 is a flowchart showing the coordinate 
recovering method in the scalar multiplication method 
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according to the eleventh embodiment of the present 
invention . 

FIG. 20 is a flowchart showing the coordinate 
recovering method in the scalar multiplication method 
5 according to the twelfth embodiment of the present 
invention. 

FIG, 21 is a flowchart showing the coordinate 
recovering method in the scalar multiplication method 
according to a thirteenth embodiment of the present 
10 invention. 

FIG. 22 is a constitution diagram of a 
signature generation unit according to the embodiment 
of the present invention. 

FIG. 23 is a constitution diagram of a 
15 decryption unit according to the embodiment of the 
present invention. 

FIG. 24 is a flowchart showing the fast 
scalar multiplication method in the scalar multipli- 
cation method according to the thirteenth embodiment of 
20 the present invention. 

FIG. 25 is a flowchart showing the scalar 
multiplication method in a scalar multiplication 
apparatus of FIG. 2. 

FIG. 26 is a flowchart showing the coordinate 
25 recovering method in the scalar multiplication method 
according to the fifth embodiment of the present 
invention. 

FIG. 27 is a diagram showing a flow of a 
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processing in the scalar multiplication method and 
apparatus according to the embodiment of the present 
invention . 

FIG. 2 8 is a flowchart showing a signature 
5 generation method in the signature generation unit of 
FIG. 22. 

FIG. 29 is a sequence diagram showing a flow 
of a processing in the signature generation unit of 
FIG. 22. 

10 FIG. 30 is a flowchart showing a decryption 

method in the decryption unit of FIG. 23. 

FIG. 31 is a sequence diagram showing a flow 
of a processing in the decryption unit of FIG. 23. 

FIG. 32 is a flowchart showing a cryptography 
15 processing method in the cryptography processing system 
of FIG. 1- 

FIG. 33 is a flowchart showing the scalar 
multiplication method in the scalar multiplication 
apparatus of FIG. 27. 
20 FIG. 34 is a flowchart showing the coordinate 

recovering method in the scalar multiplication method 
according to the fourteenth embodiment of the present 
invention . 

FIG. 35 is a flowchart showing the coordinate 
25 recovering method in the scalar multiplication method 
according to the fifteenth embodiment of the present 
invention . 

FIG. 36 is a flowchart showing the coordinate 
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recovering method in the scalar multiplication method 
according to a sixteenth embodiment of the present 
invention . 

FIG. 37 is a flowchart showing the coordinate 
5 recovering method in the scalar multiplication method 
according to a seventeenth embodiment of the present 
invention . 

FIG. 38 is a flowchart showing the coordinate 
recovering method in the scalar multiplication method 
10 according to an eighteenth embodiment of the present 
invention . 

FIG. 39 is a flowchart showing the coordinate 
recovering method in the scalar multiplication method 
according to a nineteenth embodiment of the present 
15 invention. 

FIG. 40 is a flowchart showing the coordinate 
recovering method in the scalar multiplication method 
according to the twentieth embodiment of the present 
invention . 

20 FIG- 41 is a flowchart showing the coordinate 

recovering method in the scalar multiplication method 
according to the twenty-first embodiment of the present 
invention. 

FIG. 42 is a flowchart showing the coordinate 
25 recovering method in the scalar multiplication method 
according to a twenty-second embodiment of the present 
invention . 

FIG. 43 is a flowchart showing the fast 



scalar multiplication method in the scalar multipli- 
cation method according to the sixteenth embodiment of 
the present invention. 

FIG. 44 is a flowchart showing the fast 
5 scalar multiplication method in the scalar multipli- 
cation method according to the seventeenth, eighteenth, 
and nineteenth embodiments of the present invention. 

FIG. 45 is a flowchart showing the fast 
scalar multiplication method in the scalar multipli- 
10 cation method according to the twenty-second embodiment 
of the present invention. 

BEST MODE FOR CARRYING OUT THE INVENTION 

Embodiments of the present invention will be 
described hereinafter with reference to the drawings. 

15 FIG. 1 shows a constitution of an encryption/ 

decryption processing apparatus. An encryption/ 
decryption processing apparatus 101 performs either one 
of encryption of an inputted message and decryption of 
the encrypted message. Additionally, an elliptic curve 

20 handled herein is an elliptic curve having character- 
istics of 5 or more. 

When the inputted message is encrypted, and 
the encrypted message is decrypted, the following 
equation 1 is generally established. 

25 Pm+k(aQ) -a{kQ) = Pm ... Equation 1 

Here, Pm denotes a message, k denotes a 
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random number, a denotes a constant indicating a 
private key, and Q denotes a fixed point. In this 
equation, aQ of Pm+k(aQ) indicates a public key, and 
indicates that the inputted message is encrypted by the 
5 public key. On the other hand, a of a(kQ) indicates 
the private key, and indicates that the message is 
decrypted by the private key- 
Therefore, when the encryption/decryption 
processing apparatus 101 shown in FIG. 1 is used only 
10 in the encryption of the message, Pm+k(aQ) and kQ are 
calculated and outputted. When the apparatus is used 
only in the decryption, -a(kQ) is calculated from the 
private key a and kQ, and (Pm+k (aQ) ) -a ( kQ) may be 
calculated and outputted. 
15 The encryption/decryption processing 

apparatus 101 shown in FIG. 1 includes a processing 
unit 110, storage unit 120, and register unit 130. The 
processing unit 120 indicates a processing necessary 
for an encryption processing in functional blocks, and 
20 includes an encryption/decryption processor 102 for 
encrypting the inputted message and decrypting the 
encrypted message, and a scalar multiplication unit 103 
for calculating parameters necessary for the 
encryption/decryption performed by the encryption/ 
25 decryption processor 102. The storage unit 120 stores 
a constant, private information (e.g./ the private 
key), and the like. The register unit 130 temporarily 
stores a result of operation in the encryption/ 
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decryption processing, and the information stored in 
the storage unit 120, Additionally, the processing 
unit 110, and register unit 130 can be realized by an 
exclusive-use operation unit, CPU, and the like which 
5 perform a processing described hereinafter, and the 

storage unit 120 can be realized by a RAM, ROM, and the 
like. 

An operation of the encryption/decryption 
processing apparatus 101 shown in FIG. 1 will next be 

10 described. FIG. 3 shows transmission of information of 
each unit when the encryption/decryption processing 
apparatus 101 performs the encryption/decryption. The 
encryption/decryption processor 102 is represented as 
the encryption processor 102 when performing an encryp- 

15 tion processing, and as the decryption processor 102 
when performing a decryption processing. 

An operation for encrypting the inputted 
message will first be described with reference to FIG. 
30. 

20 A message is inputted into the encryption/ 

decryption processor 102 (3001), and it is then judged 
whether or not a bit length of the inputted message is 
a predetermined bit length. When the length is longer 
than the predetermined bit length, the message is 

25 divided in order to obtain the predetermined bit length 
(it is assumed in the following description that the 
message is divided into the predetermined bit length) . 
Subsequently, the encryption/decryption processor 102 



calculates a value (yl) of y-coordinate on an elliptic 
curve having a numeric value (xl) represented by a bit 
string of the message in x-coordinate . For example, a 
Montgomery- form elliptic curve is represented by 
5 Byl^=xl^+Axl^+xl, and the value of y-coordinate can be 
obtained from this curve. Additionally, B, A are 
constants. The encryption processor 102 sends a public 
key aQ and values of x-coordinate and y-coordinate of Q 
to the scalar multiplication unit 103. In this case, 

10 the encryption processor 102 generates a random number, 
and sends this number to the scalar multiplication unit 
103 (3002) . The scalar multiplication unit 103 
calculates a scalar-multiplied point (xdl, ydl) by the 
values of x-coordinate and y-coordinate of Q and the 

15 random number, and a scalar-multiplied point (xd2, yd2) 
by the values of x-coordinate and y-coordinate of the 
public key aQ and the random number (3003) , and sends 
the calculated scalar-multiplied points to the encryp- 
tion processor 102 (3004) , The encryption processor 

20 102 uses the sent scalar-multiplied point to perform an 
encryption processing (3005) . For example, with 
respect to the Montgomery- form elliptic curve, 
encrypted messages xel, xe2 are obtained from the 
following equation . 

25 xel=B( (ydl-yl) / (xdl-xl) )'-A-xl-xdl ... Equation 2 

xe2 = xd2 . - • Equation 3 

The encryption/decryption processing 



apparatus 101 outputs the message encrypted by the 
encryption/decryption processor 102. (3006) 

An operation for decrypting the encrypted 
message will next be described with reference to FIG. 
5 32. 

When the encrypted message is inputted into 
the encryption/decryption processor 102 (3201), the 
value of y~coordinate on the elliptic curve having the 
numeric value represented by the bit string of the 

10 encrypted message in x-coordinate is calculated. Here, 
the encrypted message is a bit string of xel, xe2, and 
with the Montgomery-form elliptic curve, a value (yel) 
of y-coordinate is obtained from Byel^=xel^+Axel^+xel . 
Additionally, B, A are respective constants. The 

15 encryption/decryption processor 102 sends values (xel, 
Yel) of x-coordinate and y-coordinate to the scalar 
multiplication unit 103 (3202) . The scalar multipli- 
cation unit 103 reads private information from the 
storage unit 120 (3203), calculates a scalar-multiplied 

20 point (xd3, yd3) from the values of x-coordinate and y- 
coordinate and the private information (3204), and 
sends the calculated scalar-multiplied points to the 
encryption/decryption processor 102 (3205) . The 
encryption/decryption processor 102 uses the sent 

25 scalar-multiplied point to perform a decryption 

processing (3206) . For example, the encrypted message 
is a bit string of xel, xe2, and with the Montgomery- 
form elliptic curve, xfl is obtained by the following 
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equation . 

xf 1=B ( (ye2+yd3) / (xe2-xd3) ) ^-A-xe2-xd3 ... Equation 4 

This xfl corresponds to the message xl before 

encrypted. 

5 The decryption processor 102 outputs the 

decrypted message xfl (3207) . 

As described above, the encryption/decryption 
processor 102 performs the encryption or decryption 
processing . 

10 A processing of the scalar multiplication 

unit 103 of the encryption processing apparatus 101 
will next be described. Here, an example in which the 
encryption processing apparatus 101 performs the 
decryption processing will be described hereinafter. 

15 FIG. 2 shows functional blocks of the scalar 

multiplication unit 103. FIG. 25 shows an operation of 
the scalar multiplication unit 103. 

A fast scalar multiplication unit 202 
receives the scalar value as the private information 

20 and encrypted message, and a point on the elliptic 

curve as a value of Y-coordinate on the elliptic curve 
having the encrypted message on X-coordinate (step 
2501) . Then, the fast scalar multiplication unit 202 
calculates some values of the coordinate of the scalar- 

25 multiplied point from the received scalar value and 

point on the elliptic curve (step 2502), and gives the 
information to a coordinate recovering unit 203 (step 
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2503) . The coordinate recovering unit 203 recovers the 
coordinate of the scalar-multiplied point from informa- 
tion of the given scalar-multiplied point and the 
inputted point on the elliptic curve (step 2504) . A 
5 scalar multiplication unit 103 outputs the scalar- 
multiplied point with the coordinate completely given 
thereto as a calculation result (step 2505) . Here, the 
scalar-multiplied point with the coordinate completely 
given thereto means that the y-coordinate is calculated 
10 and outputted (this also applied to the following) . 

Some embodiments of the fast scalar multipli- 
cation unit 202 and coordinate recovering unit 203 of 
the scalar multiplication unit 103 will be described 
hereinafter • 

15 In a first embodiment, the scalar multipli- 

cation unit 103 calculates and outputs a scalar- 
multiplied point (Xd, yd) with the complete coordinate 
given thereto as a point of affine coordinates in the 
Montgomery-form elliptic curve from a scalar value d 

20 and a point P on the Montgomery- form elliptic curve. 
The scalar value d and the point P on the Montgomery- 
form elliptic curve are inputted into the scalar 
multiplication unit 103 and then received by the fast 
scalar multiplication unit 202. The fast scalar 

25 multiplication unit 202 calculates and in a 

coordinate of a scalar-multiplied point dP= (X^, Y^i, Z^) 
represented by projective coordinates in the 
Montgomery-form elliptic curve, and X^^^ and Z^+i in a 



coordinate of a point (d+l ) P= (X^+i^ Y^+if Z^^+i) on the 
Montgomery- form elliptic curve represented by the 
projective coordinates from the received scalar value d 
and the given point P on the Montgomery- form elliptic 
5 curve, and gives the information together with an 

inputted point P=(x,y) on the Montgomery- form elliptic 
curve represented by the affine coordinates to the 
coordinate recovering unit 203. The coordinate 
recovering unit 203 recovers coordinates and y^ of 

10 the scalar-multiplied point dP=(Xd,yd) represented by 
the affine coordinates in the Montgomery- form elliptic 
curve from the given coordinate values X^i, Z^, X^+i/ Z^+i, 
X and y. The scalar multiplication unit 103 outputs 
the scalar-multiplied point (x^^y^) with the coordinate 

15 completely given thereto in the affine coordinates as 
the calculation output, 

A processing of the coordinate recovering 
unit which outputs x^, y^ from the given coordinates x, 
y, Xd, Zd, Xd+i/ Zd+i will next be described with reference 

20 to FIG. 11. 

The coordinate recovering unit 203 inputs X^, 
and Zd in the coordinate of the scalar-multiplied point 
dP= (Xd, represented by the projective coordinates 

in the Montgomery-form elliptic curve, X^+i and Z^+i in 

25 the coordinate of the point (d+l ) P= (Xd+i, Y^+i, Z^+i) on the 
Montgomery-form elliptic curve represented by the 
projective coordinates, and (x, y) as representation of 
the point P on the Montgomery- form elliptic curve in 
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the affine coordinates inputted into the scalar 
multiplication unit 103, and outputs the scalar- 
multiplied point (Xd/Yd) with the complete coordinate 
given thereto in the affine coordinates in the follow- 
5 ing procedure. Here, the affine coordinate of the 

inputted point P on the Montgomery- form elliptic curve 
is represented by (x,y), and the projective coordinate 
thereof is represented by (Xi,Yi,Zi). Assuming that the 
inputted scalar value is d, the affine coordinate of 

10 the scalar-multiplied point dP in the Montgomery- form 
elliptic curve is represented by {K^,y^)r and the 
projective coordinate thereof is represented by 
(Xd,Yd,Zd). The affine coordinate of a point (d-l)P on 
the Montgomery- form elliptic curve is represented by 

15 (Xd_i/yd-i)f and the projective coordinate thereof is 

represented by (X^.i, Y^.i, Z^.J . The affine coordinate of 
the point (d+l)P on the Montgomery-form elliptic curve 
is represented by {y^d+if y^+i) f and the projective coordi- 
nate thereof is represented by (Xd+i/ Y^+i, Z^+i) . 

20 In step 1101 X^xx is calculated, and stored in 

a register T^. In step 1102 T^-Z^ is calculated- Here, 
X^x is stored in the register T^, and X^x-Z^ is therefore 
calculated. The result is stored in the register T^. 
In step 1103 Z^xx is calculated, and stored in a 

25 register T2 . In step 1104 Xd-T2 is calculated. Here, 

ZdX is stored in the register T2, and X^-xZ^ is therefore 
calculated. The result is stored in the register T2 . 
In step 1105 Xd+iXT2 is calculated. Here, X^-xZ^ is . 
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stored in the register T2, and X^^.^ (X^-xZ^) is therefore 
calculated. The result is stored in a register T3. In 
step 1106 a square of T2 is calculated. Here, (X^-xZ^) 
is stored in the register T^f ^^ad (X^-xZ^)^ is therefore 
5 calculated. The result is stored in the register T2 . 
In step 1107 T2xXd+i is calculated. Here, (X^-xZ^)^ is 
stored in the register Tg, and X^+i (X^-xZ^) ^ is therefore 
calculated. The result is stored in the register T2. 
In step 1108 "T^xZ^^^ is calculated. Here, X^+i (X^-xZ^) ^ is 

10 stored in the register T2, and Z^+iXd+i (X^-xZ^) ^ is there- 
fore calculated. The result is stored in the register 
T2. In step 1109 T2xy is calculated. Here, Z^+iX^+i (X^- 
xZ^)^ is stored in the register T2, and yZ^^^X^+i (X^-xZ^) ^ 
is therefore calculated. The result is stored in the 

15 register T2 . In step 1110 T2XB is calculated. Here, 
yZd+iXd+i (X^-xZd) ^ is stored in the register T2, and 
ByZd+iXd^.1 (X^-xZd) ^ is therefore calculated. The result is 
stored in the register T2 . In step 1111 T2xZd is 
calculated. Here, ByZd^iX^+i (X^-xZ^) ^ is stored in the 

20 register T2, and ByZ^^iXd+i (X^-xZ^) ^Z^ is therefore calcu- 
lated. The result is stored in the register T2. In 
step 1112 T2XX^ is calculated. Here, ByZ^+iXd+i (X^-xZ J ^Z^ 
is stored in the register T2, and ByZd^-iX^^i (X^-xZ^) ^Z^X^ is 
therefore calculated. The result is stored in a 

25 register T4 . In step 1113 T2xZd is calculated. Here, 
ByZd-,iXd+i (X^-xZd)^Zd is stored in the register T2, and 
ByZ^^iX^^i (X^-xZJ 'Zd is therefore calculated. The result 
is stored in the register T2. In step 1114 an inverse 
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element of the register T2 is calculated. Here, 
ByZd+iXd+i (Xd-xZd) ^Z/ is stored in the register T2, and 
therefore 1/ByZd+iXd+i (X^-xZ^) ^Z/ is calculated. The 
result is stored in the register T2 . In step 1115 T2XT4 
5 is calculated. Here, l/ByZ^+iXd+i (X^-xZ^) ^Z^^ is stored in 
the register T2, and ByZd+iX^+i (X^-xZ^) ^Z^X^ is stored in 
the register T4. Therefore, {ByZd+iX^+i (X^-xZ^) ^Z^X^) / 
(ByZ^^iXd+i (X^-xZd) ^Z/) (=Xd/Zd) is calculated. The result 
is stored in a register x^. In step 1116 T^xZ^+i is 

10 calculated. Here X^x-Z^ is stored in the register Ti, 
and therefore Zd+iCX^x-Z^) is calculated- The result is 
stored in the register T4 . In step 1117 a square of the 
register T^ is calculated. Here, (X^x-Z^) is stored in 
the register T^, and therefore (X^x-Z^)^ is calculated. 

15 The result is stored in the register Ti. In step 1118 
T1XT2 is calculated. Here, (X^x-Z^)^ is stored in the 
register Tj, 1/ByZd^.iXd+i (X^-xZ^) ^ is stored in the register 
T2, and therefore (X^x-Z^) VByZ^+iX^^i (X^-xZ^) ^z/ is calcu- 
lated. The result is stored in the register T2 . In 

20 step 1119 T3+T4 is calculated. Here X^+i (X^-xZ^) is 

stored in the register T3, Z^+i (X^x-Z^) is stored in the 
register T4, and therefore X^+i (X^-xZ^) +Zd+i (X^x-Z^) is 
calculated. The result is stored in the register T^. 
In step 1120 T3-T4 is calculated. Here X^+i (X^-xZ^) is 

25 stored in the register T3, Z^+i (X^x-Z^) is stored in the 
register T4, and therefore X^+i (X^-xZ^) -Z^+i (X^x-Z^) is 
calculated. The result is stored in the register T3. 
In step 1121 T1XT3 is calculated. Here X^+i (X^-xZ^) + 
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Zd+i (XdX-Zd) is stored in the register T^, X^+i (X^-xZ^) - 
Zd+i (XdX-Zj) is stored in the register T3, and therefore 
{Xd^i (Xd-xZJ +Z<,+i (XdX-Z„) } {Xd^i (Xd-xZd) -Zd+i (X^x-ZJ } is 
calculated. The result is stored in the register Ti. 
5 In step 1122 T1XT2 is calculated. Here {X^+i (X^-xZ^) + 
Zd+i(Xc,x-ZJ } {X<,^i(Xd-xZJ-Zd+i(XdX-Z<,) } is stored in the 
register T^, (X^x-Z^) VByZd+iXd^i (X^-xZ,,) ^Z/ is stored in the 
register Tj, and therefore the following is calculated. 

{X,,,iX, -xZ,) + Z,,,{X,x-Z,)}{X,^,(X,-xZ,)-Z,^,(X,x-Z,)}iX,x-Z,y 

ByZ,^,X,^,(X,-xZ,yz', 

. . . Equation 5 



10 The result is stored in y^. In step 1115 (ByZd+iXd+i (X^- 
xZd)'ZdXJ / (ByZd,iXd,i (X^-xZJ%') is stored in x^, and is 
not updated thereafter, and the value is therefore 
held, 

A reason why all values in the affine coordi- 
15 nate (x^, y^) of the scalar-multiplied point in the 

Montgomery- form elliptic curve are recovered from x, y, 
Xd/ Xd+i, Zd+i given to the coordinate recovering unit 

203 by the aforementioned procedure is as follows. 
Additionally, point (d+l)P is a point obtained by 
20 adding the point P to the point dP, and point (d-l)P is 
a point obtained by subtracting the point P from the 
point dP. Assignment to addition formulae in the 
affine coordinates of the Montgomery- form elliptic 
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curve results in the following equations. 

+ X + + x^^,){x^ - xf - B{y^ - yf 

. . . Equation 6 

+ X + + x^ i )(x^ - x)' - B{y^ + yf 

5 ... Equation 7 

When opposite sides are individually subjected to 
subtraction, the following equation is obtained. 

. . . Equation 8 
10 Therefore, the following results. 

= (^d-i - ^d.iX^a - 1 4By 
. . . Equation 9 

Here, k^=XJZ^, Xd^i=Xd+i/Zd^i, Xd-i^X^-i/Zd-i . The value is 
assigned and thereby converted to a value of the 
15 projective coordinate- Then, the following equation is 
obtained. 

y, = (^,_,Z,,, - Z,_, X,,,){X, - Z,xf 1 4ByZ,_,Z,,,Zl 
. . . Equation 10 

The addition formulae in the projective 
20 coordinate of the Montgomery- form elliptic curve are as 
follows . 

x„.„ = z„_„[{x„ - zj{x„ + z„) + {x„ + z„){x„ - z„)f 

. . . Equation 11 
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= X^_„[{X^ - Z„){X„ + Z„) - + Z„)(^„ - Z„)]^ 
. . . Equation 12 

Here, X^^ and are X-coordinate and Z-coordinate in the 
projective coordinate of a m-multiplied point mP of the 
5 point P on the Montgomery- form elliptic curve, X^ and 
are X-coordinate and Z-coordinate in the projective 
coordinate of an n-multiplied point nP of the point P 
on the Montgomery- form elliptic curve, X^,^ 
X-coordinate and Z-coordinate in the projective 

10 coordinate of a (m-n) -multiplied point (m-n) P of the 
point P on the Montgomery-form elliptic curve, X^^^ and 
Z^+n are X-coordinate and Z-coordinate in the projective 
coordinate of a (m+n) -multiplied point (m+n) P of the 
point P on the Montgomery-form elliptic curve, and m, n 

15 are positive integers satisfying m>n. In the equation 
when X,/Z,=x,, X,/Z„=x„ X^.„/Z,_,=x,„, are unchanged, 
Xm+n/Zra+n=x^+n also Unchanged, Therefore, this 
functions well as the formula in the projective coordi- 
nate. On the other hand, the following equations are 

20 assumed. 

= z„^„[{x„ - z„)(jr„ + z„) + {x„ + z„)(x„ - z„)f 

. . , Equation 13 

Z'„.„ = x„^„[{x^ - z„){x„ + z„) - {X^ + Z„){X„ - z„)\ 

. . . Equation 14 

25 In this equation, when X^/Z^=^^^, X^/Z^=^^, X^^^/ Z^^^=yi^^^ are 
unchanged,- X' ^.JZ' is also unchanged. Moreover, since 
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X'.-n/Z'.-n=X,-n/Z„..n IS Satisfied, X',.,, Z',.„ may be taken 
as the projective coordinate of k^.^,. When m=d/ n=l are 
set, the above formula is used, X^-i and Z^-i are deleted 
from the equation of y^, and Xi=x, Z^=l are set, the 
5 following equation is obtained. 

^ {Z,,,iX,x-Z,) + X,,,iX, -xZ,)}{Z,^,(X,x-Z,)-X,,,iX, -xZ,)}{X,x-Z,y 

ByZ,,,X,,,iX,-xZ,fZ] 

. . . Equation 15 



Although ^^=XjZ^, reduction to a denominator 
common with that of is performed for a purpose of 
10 reducing a frequency of inversion, and the following 
equation is obtained. 



^ ^ ByZ,,,X,^,ZAX,-xZ,fX, 
" ByZ,^,X,,,Z,iX,-xZ,yZ, 

. . . Equation 16 

Here, x^, yd are given by the processing of FIG. 11. 

15 Therefore, all the values of the affine coordinate 
(^d/Yd) are recovered. 

For the aforementioned procedure, in the 
steps 1101, 1103, 1105, 1107, 1108, 1109, 1110, 1111, 
1112, 1113, 1115, 1116, 1118, 1121, and 1122, a 

20 computational amount of multiplication on a finite 

field is required. Moreover, the computational amount 
of squaring on the finite field is required in the 
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steps 1106 and 1117. Moreover, the computational 
amount of inversion on the finite field is required in 
the step 1114. The computational amounts of addition 
and subtraction on the finite field are relatively 
5 small as compared with the computational amount of 
multiplication on the finite field and the computa- 
tional amounts of squaring and inversion, and may be 
ignored. Assuming that the computational amount of 
multiplication on the finite field is M, the computa- 

10 tional amount of squaring on the finite field is S, and 
the computational amount of inversion on the finite 
field is I, the above procedure requires a computa- 
tional amount of 15M+2S+I. This is very small as 
compared with the computational amount of fast scalar 

15 multiplication. For example, when the scalar value d 
indicates 160 bits, the computational amount of the 
fast scalar multiplication is estimated to be a little 
less than about 1500 M. Assuming S=0 . 8M, I=40M, the 
computational amount of coordinate recovering is 56.6 

20 M, and this is very small as compared with the 

computational amount of the fast scalar multiplication. 
Therefore, it is indicated that the coordinate can 
efficiently be recovered. 

Additionally, even when the above procedure 

25 is not taken, the values of x^, yd given by the above 

equation can be calculated, and the values of x^, yd can 
then be recovered. In this case, the computational 
amount necessary for the recovering generally 
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increases. Moreover, when the value of B as a 
parameter of the elliptic curve is set to be small, the 
computational amount of multiplication in the step 1110 
can be reduced. 
5 A processing of the fast scalar multiplica- 

tion unit which outputs X^, Z^r ^d+if 2^+1 from the scalar 
value d and the point P on the Montgomery- form elliptic 
curve will next be described with reference to FIG. 4. 
The fast scalar multiplication unit 202 

10 inputs the point P on the Montgomery- form elliptic 

curve inputted into the scalar multiplication unit 103, 
and outputs and in the scalar-multiplied point 
dP= (Xd, Y^, Z^) represented by the projective coordinate in 
the Montgomery-form elliptic curve, and X^+i and Z^+i in 

15 the point (d+1 ) P= (Xd+i, Y^^^, Z^+i) on the Montgomery- form 

elliptic curve represented by the projective coordinate 
by the following procedure. In step 401, an initial 
value 1 is assigned to a variable I. A doubled point 
2P of the point P is calculated in step 402. Here, the 

20 point P is represented as {x,y, 1) in the projective 

coordinate, and a formula of doubling in the projective 
coordinate of the Montgomery- form elliptic curve is 
used to calculate the doubled point 2P. In step 403, 
the point P on the elliptic curve inputted into the 

25 scalar multiplication unit 103 and the point 2P 

obtained in the step 402 are stored as a set of points 
(P,2P) . Here, the points P and 2P are represented by 
the projective coordinate. It is judged in step 404 



whether or not the variable I agrees with the bit 
length of the scalar value d. With agreement, the flow 
goes to step 413. With disagreement, the flow goes to 
step 405. The variable I is increased by 1 in the step 
5 405. It is judged in step 406 whether the value of an 
I~th bit of the scalar value is 0 or 1 . When the value 
of the bit is 0, the flow goes to the step 407.- When 
the value of the bit is 1, the flow goes to step 410. 
In step 407, addition mP+(m+l)P of points mP and (m+l)P 

10 is performed from a set of points (mP, (m+l)P) 

represented by the projective coordinate, and a point 
(2m+l)P is calculated. Thereafter, the flow goes to 
step 408. Here, the addition mP+(m+l)P is calculated 
using the addition formula in the projective coordinate 

15 of the Montgomery- form elliptic curve. In step 408, 
doubling 2 (mP) of the point mP is performed from the 
set of points (mP, (m+l)P) represented by the projective 
coordinate, and the point 2mP is calculated. There- 
after, the flow goes to step 409. Here, the doubling 

20 2 (mP) is calculated using the formula of doubling in 
the projective coordinate of the Montgomery- form 
elliptic curve. In the step 409, the point 2mP 
obtained in the step 408 and the point (2m+l)P obtained 
in the step 407 are stored as a set of points (2mP, 

25 (2m+l)P) instead of the set of points (mP, {m+l)P). 
Thereafter, the flow returns to the step 404. Here, 
the points 2mP, (2m+l)P, mP, and (m+1) P are all 
represented in the projective coordinates. In step 
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410, addition mP+(m+l)P of the points mP, (m+l)P is 
performed from the set of points (mP, (m+l)P) 
represented by the projective coordinates, and the 
point {2m+l)P is calculated- Thereafter, the flow goes 
5 to step 411. Here, the addition mP+{m+l)P is calcu- 
lated using the addition formula in the projective 
coordinates of the Montgomery-form elliptic curve. In 
the step 411, doubling 2((m+l)P) of the point (m+l)P is 
performed from the set of points (mP, (m+l)P) 

10 represented by the projective coordinates, and a point 
(2m+2)P is calculated. Thereafter, the flow goes to 
step 412. Here, the doubling 2((m+l)P) is calculated 
using the formula of doubling in the projective 
coordinates of the Montgomery~f orm elliptic curve. In 

15 the step 412, the point (2m+l)P obtained in the step 

410 and the point (2m+2)P obtained in the step 411 are 
stored as a set of points ((2m+l)P, (2m+2)P) instead of 
the set of points (mP, (m+1) P) . Thereafter, the flow 
returns to the step 404. Here, the points (2m+l)P, 

20 (2m+2)P, mP, and (m+l)P are all represented in the 

projective coordinates. In step 413, from the set of 
points (mP, (m+l)P) represented by the projective 
coordinates, and are outputted as and from 
the point mP= (X^, Y^, Z^) represented by the projective 

2 5 coordinates, and X^+i and Z^+i are outputted as X^+i and 
Zd^i from the point (m+1 ) P= (X^^^, Y^.^, Z^^J represented by 
the projective coordinates. Here, Y^ and Y^^^ are not 
obtained, because Y-coordinate cannot be obtained by 
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the addition and doubling formulae in the projective 
coordinates of the Montgomery- form elliptic curve. 
Moreover, by the aforementioned procedure, m and the 
scalar value d have an equal bit length and further 
5 have the same pattern of the bit, and are therefore 
equal . 

The computational amount of the addition 
formula in the projective coordinates of the 
Montgomery-f orm elliptic curve is 3M+2S with Z^=l . 

10 Here, M is the computational amount of multiplication 
on the finite field, and S is the computational amount 
of squaring on the finite field. The computational 
amount of the formula of doubling in the projective 
coordinates of the Montgomery-form elliptic curve is 

15 3M+2S. When the value of the I-th bit of the scalar 

value is 0, the computational amount of addition in the 
step 407, and the computational amount of doubling in 
the step 408 are required. That is, a computational 
amount of 6M+4S is required. When the value of the 1- 

20 th bit of the scalar value is 1, the computational 

amount of addition in the step 410, and the computa- 
tional amount of doubling in the step 411 are required. 
That is, the computational amount of 6M+4S is required - 
In any case, the computational amount of 6M+4S is 

25 required. The number of repetitions of the steps 404, 
405, 406, 407, 408, 409, or the steps 404, 405, 406, 
410, 411, 412 is (bit length of the scalar value d)-l. 
Therefore, in consideration of the computational amount 



of doubling in the step 4 02, the entire computational 
amount is (6M+4S) {k-l)+3M+2S. Here, k is a bit length 
of the scalar value d. In general, since a computa- 
tional amount S is estimated to be of the order of 
5 S=0.8M, the entire computational amount is approxi- 
mately (9.2k-4.6)M, For example, when the scalar value 
d indicates 160 bits (k=160) , the computational amount 
of algorithm of the aforementioned procedure is about 
1467 M. The computational amount per bit of the scalar 
10 value d is about 9.2 M. In A. Miyaji, T. Ono, H. 

Cohen, Efficient elliptic curve exponentiation using 
mixed coordinates. Advances in Cryptology Proceedings 
of ASIACRYPT' 98, LNCS 1514 (1988) pp. 51-65, a scalar 
multiplication method using a window method and mixed 
15 coordinates mainly including Jacobian coordinates in a 
Weierstrass-form elliptic curve is described as a fast 
scalar multiplication method. In this case, the 
computational amount per bit of the scalar value is 
estimated to be about 10 M. For example, when the 
20 scalar value d indicates 160 bits {k=160) , the 

computational amount of the scalar multiplication 
method is about 1600 M. Therefore, the algorithm of 
the aforementioned procedure can be said to have a 
small computational amount and high speed. 
25 Additionally, instead of using the algorithm 

of the aforementioned procedure in the fast scalar 
multiplication unit 202, another algorithm may be used 
as long as the algorithm outputs X^, Y^, X^+i, Z^+i from 



the scalar value d and the point P on the Montgomery- 
form elliptic curve at high speed. 

The computational amount required for 
recovering the coordinate of the coordinate recovering 
5 unit 203 in the scalar multiplication unit 103 is 
15M+2S+1, and this is far small as compared with a 
computational amount of (9.2k-4.6)M necessary for fast 
scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 

10 necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 
computational amount necessary for the fast scalar 
multiplication of the fast scalar multiplication unit. 
Assuming I=40M, S=0.8M, the computational amount can be 

15 estimated to be about (9.2k-f52)M. For example, when 
the scalar value d indicates 160 bits {k=160) , the 
computational amount necessary for the scalar multipli- 
cation is 1524 M. The Weierstrass-f orm elliptic curve 
is used as the elliptic curve, the scalar multiplica- 

20 tion method is used in which the window method and the 
mixed coordinates mainly including the Jacobian 
coordinates are used, and the scalar-multiplied point 
is outputted as the affine coordinates. In this case, 
the required computational amount is about 164 0 M, and 

25 as compared with this, the required computational 
amount is reduced. 

In a second embodiment, the scalar multipli- 
cation unit 103 calculates and outputs a scalar- 
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multiplied point (Xa,Y^,Z^) with the complete coordinate 
given thereto as a point of the projective coordinates 
in the Montgomery- form elliptic curve from the scalar 
value d and the point P on the Montgomery- form elliptic 
5 curve. The scalar value d and the point P on the 
Montgomery-form elliptic curve are inputted into the 
scalar multiplication unit 103 and then received by the 
fast scalar multiplication unit 202. The fast scalar 
multiplication unit 202 calculates and in the 

10 coordinate of the scalar^-multiplied point dP= (X^r Y^/ Z^) 
represented by the projective coordinates in the 
Montgomery- form elliptic curve, and X^+i and Z^+i in the 
coordinate of the point on the Montgomery-form elliptic 
curve (d+1 ) P= (Xd+i, Yd+i, Zd+i) represented by the projective 

15 coordinates from the received scalar value d and the 
given point P on the Montgomery-form elliptic curve, 
and gives the information together with the inputted 
point P=(x,y) on the Montgomery-form elliptic curve 
represented by the affine coordinates to the coordinate 

20 recovering unit 203. The coordinate recovering unit 
203 recovers coordinate X^, Y^, and Z^ of the scalar- 
multiplied point dP= (X^, Yd, Zd) represented by the 
projective coordinates in the Montgomery- form elliptic 
curve from the given coordinate values X^, Z^/ X^+i/ '^a+if 

25 X and y. The scalar multiplication unit 103 outputs 
the scalar-multiplied point (X^^Y^.Z^) with the coordi- 
nate completely given thereto in the projective 
coordinates as the calculation output. 
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A processing of the coordinate recovering 
unit which outputs X^, Y^, from the given coordinate 
X, y, X^, Z^, X^^-^, Z^+i will next be described with 
reference to FIG. 9. 
5 The coordinate recovering unit 2 03 inputs X^^ 

and Zd in the coordinate of the scalar-multiplied point 
dP= (Xj, Y^f Z^) represented by the projective coordinates 
in the Montgomery-form elliptic curve, X^^^ and Z^+i in 
the coordinate of the point on the Montgomery- form 

10 elliptic curve (d+1 ) P= (Xd+i/ Y^+i, Z^+i) represented by the 
projective coordinates, and (x, y) as representation of 
the point P on the Montgomery-form elliptic curve 
inputted into the scalar multiplication unit 103 in the 
affine coordinates, and outputs the scalar-multiplied 

15 point (Xd/Yd,Zd) with the complete coordinate given 

thereto in the projective coordinates in the following 
procedure. Here, the affine coordinate of the inputted 
point P on the Montgomery-form elliptic curve is 
represented by (x,y), and the projective coordinate 

20 thereof is represented by (Xi,Yi,Zi). Assuming that the 
inputted scalar value is d, the affine coordinate of 
the scalar-multiplied point dP in the Montgomery- form 
elliptic curve is represented by (x^/ yd) / and the 
projective coordinate thereof is represented by 

25 (Xd,Yd,Zd). The affine coordinate of the point (d-l)P on 
the Montgomery-form elliptic curve is represented by 
(^d-i/ Yd-i) f cind the projective coordinate thereof is 
represented by (X^.i, Y^.i, Z^.i) . The affine coordinate of 
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the point (d+l)P on the Montgomery-form elliptic curve 
is represented by (Xd+i,yd+i)f and the projective 
coordinate thereof is represented by (X^+i/ Y^+i, Z^+i) - 

In step 901 X^iXx is calculated, and stored in 
5 the register T^. In step 902 Ti-Z^ is calculated- Here, 
X^x is stored in the register T^, and X^x-Z^ is therefore 
calculated- The result is stored in the register Ti. 
In step 903 Z^xx is calculated, and stored in the 
register . In step 904 X^-T^ is calculated- Here, Z^x 

10 is stored in the register T2/ and X^-xZ^ is therefore 
calculated. The result is stored in the register T2 . 
In step 905 Zd+iXT^ is calculated. Here, X^x-Z^ is stored 
in the register T^, and Z^+i (X^x-Z^) is therefore calcu- 
lated. The result is stored in the register T3. In 

15 step 906 X^+iXTj is calculated. Here, X^-xZ^ is stored in 
the register T^, and X^+i (X^-xZ^) is therefore calculated. 
The result is stored in the register T4 . In step 907 a 
square of T^ is calculated. Here, X^x-Z^ is stored in 
the register T^, and (X^x-Z^) ^ is therefore calculated. 

20 The result is stored in the register T^. In step 908 a 
square of T2 is calculated. Here, X^-xZ^ is stored in 
the register T2, and (X^-xZj^ is therefore calculated. 
The result is stored in the register T2 . In step 909 
T2xZd is calculated. Here, (X^-xZ^)^ is stored in the 

25 register T2, and Z^CX^-xZ^)^ is therefore calculated. 

The result is stored in the register T2 . In step 910 
T^xX^^^ is calculated. Here, Z^iX^-xZ^)^ is stored in the 
register T2, and X^+iZ^ (X^-xZ^) ' is therefore calculated. 
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The result is stored in the register T2 . In step 911 
T2xZd^i is calculated. Here, X^+iZ^ (Xd-xZ^) ^ is stored in 
the register Tj, and Z^-^iX^+iZ^ (X^-xZ^) ^ is therefore 
calculated. The result is stored in the register T2. 
5 In step 912 T^xy is calculated- Here, Zd+iX^+iZ^ (X^-xZ^) ^ 
is stored in the register T2, and yZ^^^X^^^Z^(X^-KZ^)^ is 
therefore calculated. The result is stored in the 
register T2 . In step 913 T2XB is calculated. Here, 
yZd+iXd4-iZd{Xd-xZJ ' is stored in the register T2, and 

10 ByZd+iXd-,iZd(Xd-xZd) ^ is therefore calculated. The result 
is stored in the register T2 . In step 914 TsXX^ is 
calculated. Here, ByZ^.^Xd^-iZd (X^-xZ J ^ is stored in the 
register T2, and ByZd^-iX^+iZd (X^-xZ^) ^X^ is therefore 
calculated. The result is stored in the register X^. 

15 In step 915 T2xZd is calculated. Here, ByZ^+iX^+iZd (X^- 
xZ^)^ is stored in the register T2/ and ByZd+iX^+iZ^ (X^- 
xZd)^Zd is therefore calculated. The result is stored in 
the register Z^. In step 916 T3+T4 is calculated. Here 
Xd+i (Xdx"Zd) is stored in the register T3, X^+i (Xd-xZ^) is 

20 stored in the register T4, and therefore Z^+i (X^x-Z^) + 

Xd+i (^d-^2d) is calculated. The result is stored in the 
register T2 - In step 917 T3-T4 is calculated. Here 
Zd^.1 (X^x-Zd) is stored in the register T3, X^+i (X^-xZ^) is 
stored in the register T^, and therefore Z^+i (X^x-Z^) - 

25 Xd^i(Xd-xZd) is calculated. The result is stored in the 
register T3. In step 918 T^xTs is calculated. Here 
(X^x-Zd)^ is stored in the register T^, Z^+i (X^x-Z^) -fX^+i (X^- 
xZd) is stored in the register T2, and therefore 
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{Z^,i(XdX-ZJ+Xd+i(X^-xZd) } (XdX-Zj' is calculated. The 
result is stored in the register T^. In step 919 T1XT3 
is calculated. Here { Z^+i (X^x-Z^) +Xd+i (Xd-xZ^) } (X^x-Z^) ^ is 
stored in the register T^, Z^+i (X^x^Z^) -X^+i (X^-xZ^) is 
5 stored in the register T3, and therefore { Z^+i (X^x-Z^) + 
X^.i (X^-xZ J } { Z^^, (X^x-Z J -X^,, (X^-xZd) } (X^x-Z J ' is calcu- 
lated. The result is stored in the register Y^. 
Therefore, { Z^^, (X^x-Z J +X^,, (X^-xZ J } { Z^^^ (X^x-Z J -X^^^ (X^- 
xZ^) } (X^x-Z^j) ^ is stored in the register Y^. In the step 
10 914 ByZd^-iXd+iZd+i (Xd-xZd) ^X^ is stored in the register X^, 

and is not updated, and the value is held. In the step 
915 ByZd+iXd+iZd+i (X^-xZd) ^ is stored in the register Z^, and 
is not updated thereafter, and the value is therefore 
held. 

15 A reason why all values in the projective 

coordinate {Xd,Yd,Zd) of the scalar-multiplied point are 
recovered from x, y, X^, Z^, X^+i, Z^+i given by the afore- 
mentioned procedure is as follows. The point (d+l)P is 
a point obtained by adding the point P to the point dP, 

20 and the point (d-l)P is a point obtained by subtracting 
the point P from the point dP. Assignment to the 
addition formulae in the affine coordinates of the 
Montgomery- form elliptic curve results in Equations 6, 
7. When the opposite sides are individually subjected 

25 to subtraction. Equation 8 is obtained. Therefore, 
Equation 9 results. Here, x^=X^/Z^f ^d+i^^d+i/^d+i/ 
^di-i="^d~i/'^d~i' The value is assigned and thereby 
converted to the value of the projective coordinate. 



Then, Equation 10 is obtained. 

The addition formulae in the projective 
coordinate of the Montgomery- form elliptic curve are 
Equations 11 and 12. Here, X^^ and are X-coordinate 
5 and Z-coordinate in the projective coordinate of the m- 
multiplied point mP of the point P on the Montgomery- 
form elliptic curve, X^ and Z^ are X-coordinate and Z- 
coordinate in the projective coordinate of the n- 
multiplied point nP of the point P on the Montgomery- 

10 form elliptic curve, X^.^ and Z^.^ are X-coordinate and Z- 
coordinate in the projective coordinate of the (m-n)- 
multiplied point (m~n) P of the point P on the 
Montgomery- form elliptic curve, X^+^ and Z^+^ are X- 
coordinate and Z-coordinate in the projective coordi- 

15 nate of the (m+n) -multiplied point (m+n) P of the point 
P on the Montgomery- form elliptic curve, and m, n are 
positive integers satisfying m>n. In the equation when 
X^/Z,=x,, X,/Z,-x,, X^_yz^_,=x^_, are unchanged, X^,,/Z^^^-x^^, 
is also unchanged. Therefore, this functions well as 

2 0 the formula in the projective coordinate. On the other 
hand, for Equations 14, 15, when X^/Z^^:^^, X^/Z^=Xn, 
^m+n/Z^+n=>^m+n ^re Unchanged in this equation, X'^.^/Z'^.^ is 
also unchanged. Moreover, since X' ^.^/Z' ^_n=X^_^/Z^_^=Xj^_„ is 
satisfied, X'^^.^, Z'^.^ may be taken as the projective 

25 coordinate of k^_^. When m=d, n=l are set, the above 
formula is used, X^-i and Z^-i are deleted from the 
equation of y^, and X^^x, Zi=l are set, Equation 15 is 
obtained. Although k^^X^/Z^, reduction to the 
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denominator coitimon with that of is performed, and 
Equation 16 is obtained. 

As a result, the following equation is 

obtained. 

5 7,= [Z,,,{X,x - Z,) + X,,,{X, - xZ,)}{z,,,{X,x - Z,) - X,,,{X, - xZ,)]{X,x - Z.f 

. . . Equation 17 

Then, and may be updated by the following 
equations . 

ByZ,,,X,,,Z,{X,-xZ,yx, 
10 ... Equation 18 

ByZ,^,X,,,Z,{X,-xZ,fz, 
. . . Equation 19 

Here, X^, Y^, are given by the processing of FIG. 9. 
Therefore, all the values of the projective coordinate 

15 (Xci,Yd, Zd) are recovered. 

For the aforementioned procedure, in the 
steps 901, 903, 905, 906, 909, 910, 911, 912, 913, 914, 
915, 918, and 919, the computational amount of multi- 
plication on the finite field is required. Moreover, 

20 the computational amount of squaring on the finite 
field is required in the steps 907 and 908. The 
computational amounts of addition and subtraction on 
the finite field are relatively small as compared with 
the computational amount of multiplication on the 

25 finite field and the computational amount of squaring. 



and may therefore be ignored. Assuming that the 
computational amount of multiplication on the finite 
field is M, and the computational amount of squaring on 
the finite field is S, the above procedure requires a 
5 computational amount of 13M+2S, This is far small as 
compared with the computational amount of the fast 
scalar multiplication. For example, when the scalar 
value d indicates 160 bits, the computational amount of 
the fast scalar multiplication is estimated to be a 

10 little less than about 1500 M. Assuming S=0 . 8M, the 
computational amount of coordinate recovering is 14.6 
M, and far small as compared with the computational 
amount of the fast scalar multiplication. Therefore, 
it is indicated that the coordinate can efficiently be 

15 recovered. 

Additionally, even when the above procedure 
is not taken, the values of X^. Y^, given by the above 
equation can be calculated, and the values of X^, Y^, 
can then be recovered- Moreover, the values of X^, Y^, 

20 Zd are selected so that x^, yd take the values given by 
the aforementioned equations, the values can be 
calculated, and then X^, Y^, Z^ can be recovered- In 
this case, the computational amount required for 
recovering generally increases. Furthermore, when the 

25 value of B as the parameter of the elliptic curve is 

set to be small, the computational amount of multipli- 
cation in the step 913 can be reduced. 

An algorithm which outputs X^, Z^, ^a+if '^d+i 
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from the scalar value d and the point P on the 
Montgomery- form elliptic curve will next be described. 

The fast scalar multiplication method of the 
first embodiment is used as the fast scalar multiplica- 
5 tion method of the fast scalar multiplication unit 202 
of the second embodiment. Thereby, as the algorithm 
which outputs Xd/ Z^, X^+i/ Z^+i from the scalar value d 
and the point P on the Montgomery- form elliptic curve, 
a fast algorithm is achieved. Additionally, instead of 

10 using the aforementioned algorithm in the fast scalar 
multiplication unit 202, another algorithm may be used 
as long as the algorithm outputs X^, Z^/ X^+i^ Z^+i from 
the scalar value d and the point P on the Montgomery- 
form elliptic curve at high speed. 

15 The computational amount required for 

recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
13M+2S, and this is far small as compared with the 
computational amount of (9.2k-4.6)M necessary for fast 

20 scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 
computational amount necessary for the fast scalar 

25 multiplication of the fast scalar multiplication unit. 
Assuming S=0.8M, the computational amount can be 
estimated to be about (9.2k+10)M. For example, when 
the scalar value d indicates 160 bits (k=^160) , the 
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computational amount necessary for the scalar multipli- 
cation is 1482 M. The Weierstrass-f orm elliptic curve 
is used as the elliptic curve, the scalar multiplica- 
tion method is used in which the window method and the 
5 mixed coordinates mainly including the Jacobian 

coordinates are used, and the scalar-multiplied point 
is outputted as the Jacobian coordinates. In this 
case, the required computational amount is about 1600 
M, and as compared with this, the required computa- 
10 tional amount is reduced - 

In a third embodiment, the scalar multipli- 
cation unit 103 calculates and outputs a scalar- 
multiplied point {K^rYa) with the complete coordinate 
given thereto as a point of the affine coordinates in 
15 the Montgomery- form elliptic curve from the scalar 

value d and the point P on the Montgomery- form elliptic 
curve. The scalar value d and the point P on the 
Montgomery- form elliptic curve are inputted into the 
scalar multiplication unit 103 and then received by the 
20 fast scalar multiplication unit 202. The fast scalar 
multiplication unit 202 calculates and in the 
coordinate of the scalar-multiplied point dP= (X^, Y^, Z^) 
represented by the projective coordinates in the 
Montgomery- form elliptic curve, X^+i and Z^+i in the 
25 coordinate of the point on the Montgomery- form elliptic 
curve {d+l)P={Xd,,,Yd,i,Zd,i) represented by the projective 
coordinates, and X^-i and Z^-i in the coordinate of the 
point on the Montgomery- form elliptic curve (d-l)P= 
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(^d-i/ Yd-if Zd-i) represented by the projective coordinates 
from the received scalar value d and the given point P 
on the Montgomery- form elliptic curve, and gives the 
information together with the inputted point P=(x,y) on 
5 the Montgomery- form elliptic curve represented by the 
affine coordinates to the coordinate recovering unit 
203. The coordinate recovering unit 203 recovers 
coordinate x^, and y^ of the scalar-multiplied point 
dF={x^rYdi) represented by the affine coordinates in the 
10 Montgomery- form elliptic curve from the given coordi- 
nate values X^, Z^, X^^,, Z^^^, X^-i, Z^.^, x and y. The 
scalar multiplication unit 103 outputs the scalar- 
multiplied point (x^^y^) with the coordinate completely 
given thereto in the affine coordinates as the calcula- 
15 tion output- 

A processing of the coordinate recovering 
unit which outputs x^/ yd from the given coordinate x, 
y, X,, Z,, X,,„ Z,,,, X,_,, Z,_, will next be described with 
reference to FIG. 12. 
20 The coordinate recovering unit 203 inputs X^ 

and Zd in the coordinate of the scalar-multiplied point 
dP= (X^, Yd, Z^) represented by the projective coordinates 
in the Montgomery- form elliptic curve, X^+i and Z^+i in 
the coordinate of the point on the Montgomery- form 
25 elliptic curve (d+1 ) P= (X^.^, Y^.^, Z^+i) represented by the 

projective coordinates, X^-i and Z^^^ in the coordinate of 
the point on the Montgomery-form elliptic curve (d-l)P= 
(Xd.i, Yd-i, Zd-i) represented by the projective coordinates. 
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and (x,y) as representation of the point P on the 
Montgomery- form elliptic curve in the affine coordi- 
nates inputted into the scalar multiplication unit 103, 
and outputs the scalar-multiplied point (x^, y^) with the 
5 complete coordinate given thereto in the affine coordi- 
nates in the following procedure. Here, the affine 
coordinate of the inputted point P on the Montgomery- 
form elliptic curve is represented by (x,y), and the 
projective coordinate thereof is represented by 

10 (Xi,Y3^,Zi). Assuming that the inputted scalar value is 
d, the affine coordinate of the scalar-multiplied point 
dP in the Montgomery- form elliptic curve is represented 
by i^dfYd) f and the projective coordinate thereof is 
represented by (X^^Y^, Z^). The affine coordinate of the 

15 point {d-l)P on the Montgomery- form elliptic curve is 
represented by {^^.ifYd.i)^ and the projective coordinate 
thereof is represented by (X^.i, Y^.^, Z^-i) . The affine 
coordinate of the point (d+l)P on the Montgomery- form 
elliptic curve is represented by (Xd+i, yd+i) / and the 

20 projective coordinate thereof is represented by 

(^d+l^ '^d+l/ ^d+i) - 

In step 1201 Xd-iXZ^+i is calculated, and stored 
in the register T^. In step 1202 Z^.^xX^+i is calculated, 
and stored in the register T2. In step 1203 T1-T2 is 
25 calculated. Here, X^-iZ^^i is stored in the register T^, 
Zd-i>^d+i is stored in the register T2, and X^-iZd+i-Zd-iX^^,! is 
therefore calculated. The result is stored in the 
register T^. In step 1204 Z^xx is calculated, and 
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stored in the register T2 - In step 1205 X^-T2 is calcu- 
lated. Here, Z^x is stored in the register and X^- 
xZd is therefore calculated. The result is stored in 
the register T2 . In step 1206 a square of T2 is calcu- 
5 lated. Here, (X^-xZ^) is stored in the register T^, and 
(Xd-xZd)^ is therefore calculated. The result is stored 
in the register T2 . In step 1207 T1XT2 is calculated. 
Here, X^^iZ^.i- Z^.^X^.i is stored in the register T^, (X^- 
xZ^)^ is stored in the register T2, and therefore (X^- 
10 xZd)'(X^_,Z^,i-Zd-iXd,i) is calculated. The result is stored 
in the register T^. In step 1208 4Bxy is calculated. 
The result is stored in the register T2. In step 1209 
TsXZ^^i is calculated. Here, 4By is stored in the 
register T2, and 4ByZd+i is therefore calculated. The 
15 result is stored in the register T2 . In step 1210 T2xZd^i 
is calculated. Here, 4ByZd+i is stored in the register 
T2, and 4ByZd_iZd^3^ is therefore calculated. The result 
is stored in the register T2 . In step 1211 TjXZ^ is 
calculated. Here, 4ByZd^iZd-i is stored in the register 
20 T2, and 4ByZd4.iZd-iZd is therefore calculated. The result 
is stored in the register T2 . In step 1212 T2xXd is 
calculated. Here, 4ByZd_iZd,iZd is stored in the register 
T2, and 4ByZd^iZd-iZdXd is therefore calculated. The 
result is stored in the register T3. In step 1213 T2xZd 
25 is calculated. Here, 4ByZd+iZd-iZd is stored in the 

register T2, and ^ByZ^,,Z^_,Z^Z^ is therefore calculated. 
The result is stored in the register T2 . In step 1214 
the inverse element of the register T2 is calculated. 
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Here, 4BYZd+iZd_iZdZd is stored in the register T^, and 
therefore l/4ByZd+iZd_iZdZd is calculated- The result is 
stored in the register T2 . In step 1215 T2XT3 is 
calculated. Here, l/4ByZd+iZd-iZdZd is stored in the 
5 register T2, 4ByZd+iZd_iZdXd is stored in the register T3, 
and therefore ( 4ByZd^j^Zd_iZdXd) / ( 4ByZ^+iZd_iZdZd) is calcu- 
lated. The result is stored in the register x^. In 
step 1216 T1XT2 is calculated. Here, (X^-xZ^) Mx^.^Zd+i- 
Zd-iXd.i) is stored in the register T^, l/4ByZd^iZ^.iZdZd is 
10 stored in the register T2, and therefore (Xd-iZd+i-Zd-iX^+i) 
(Xj-xZ^) ^/4ByZd_aZd+iZd^ is calculated. The result is 
stored in the register y^. Therefore, (X^.^Zd^-i-Zd-iXd+i) 
(X^-Z^x) V4ByZd_iZd+iZd^ is stored in the register y^. In 
the step 1215 {AByZ^^^Z^.:,Z^X^) / {AByZ^^^Z^.^Z^ZJ is stored in 
15 the register x^, and is not updated thereafter, and 
therefore the value is held. 

A reason why all values in the affine coordi- 
nate (Xd,yd) of the scalar-multiplied point in the 
Montgomery- form elliptic curve are recovered from x, y, 
20 X^, Z^, Xd^i, Zd,i, Xd_i, Z^.i given by the aforementioned 
procedure is as follows. The point {d+l)P is a point 
obtained by adding the point P to the point dP, and the 
point (d-l)P is a point obtained by subtracting the 
point P from the point dP. 
25 Assignment to the addition formulae in the 

affine coordinates of the Montgomery- form elliptic 
curve results in Equations 6, 7. When the opposite 
sides are individually subjected to subtraction. 
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Equation 8 is obtained. Therefore, Equation 9 results- 
Here, k^=XJZ^, x^.^^X^.i/Z^,,, x^.i^X^.i/Z^-i . The value is 
assigned and thereby converted to the value of the 
projective coordinate. Then, Equation 10 is obtained. 
5 Although k^=X^/Z^, reduction to the denominator 

coiniuon with that of is performed for the purpose of 
reducing the frequency of inversion, and the following 
equation is obtained. 

^ _ 4ByZ,^,Z,_,Z,X, 
' 4ByZ,,,Z,_,Z,Z, 

10 ... Equation 20 

Here, x^, yd are given by the processing shown in FIG. 
12. Therefore, all the values of the affine coordinate 

(Xd/yd) are recovered. 

For the aforementioned procedure, in the 

15 steps 1201, 1202, 1204, 1207, 1208, 1209, 1210, 1211, 

1212, 1213, 1215, and 1216, the computational amount of 
multiplication on the finite field is required. 
Moreover, the computational amount of squaring on the 
finite field is required in the step 1206. Moreover, 

20 the computational amount of inversion on the finite 

field is required in the step 1214. The computational 
amounts of addition and subtraction on the finite field 
are relatively small as compared with the computational 
amount of multiplication on the finite field and the 

25 computational amounts of squaring and inversion, and 

may be ignored. Assuming that the computational amount 
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of multiplication on the finite field is M, the 
computational amount of squaring on the finite field is 
S, and the computational amount of inversion on the 
finite field is I, the above procedure requires a 
5 computational amount of 12M-hS + I. This is very small as 
compared with the computational amount of fast scalar 
multiplication. For example, when the scalar value d 
indicates 160 bits, the computational amount of the 
fast scalar multiplication is estimated to be a little 

10 less than about 1500 M. Assuming S=0 . 8M, I=40M, the 
computational amount of coordinate recovering is 52.8 
M, and this is very small as compared with the 
computational amount of the fast scalar multiplication. 
Therefore, it is indicated that the coordinate can 

15 efficiently be recovered. 

Additionally, even when the above procedure 
is not taken, the values of x^, yd given by the above 
equation can be calculated, and the values of x^/ yd can 
then be recovered. In this case, the computational 

20 amount required for recovering generally increases. 
Furthermore, when the value of B as the parameter of 
the elliptic curve is set to be small, the computa- 
tional amount of multiplication in the step 1208 can be 
reduced. 

25 A processing of the fast scalar multiplica- 

tion unit which outputs X^, Z^, Xd+i, Zd+i/ X^-if '^a-i i^om 
the scalar value d and the point P on the Montgomery- 
form elliptic curve will next be described with 



reference to FIG. 5. 

The fast scalar multiplication unit 202 
inputs the point P on the Montgomery-form elliptic 
curve inputted into the scalar multiplication unit 103, 
5 and outputs and in the scalar-multiplied point 

dP= (Xd, Y^, Z^) represented by the projective coordinate in 
the Montgomery-form elliptic curve, X^+i and Z^+i in the 
point (d+l)P=(X^,i,Yd,i,Z,,,i) on the Montgomery-form 
elliptic curve represented by the projective coordi- 
10 nate, and X^.i and Z^-i in the point (d-1 ) P= (X^-i, Y^-i, Z^-i) 
on the Montgomery-form elliptic curve represented by 
the projective coordinate by the following procedure. 
In step 501, the initial value 1 is assigned to the 
variable I. The doubled point 2P of the point P is 
15 calculated in step 502. Here, the point P is 

represented as {x,y, 1) in the projective coordinate, 
and the formula of doubling in the projective coordi- 
nate of the Montgomery-form elliptic curve is used to 
calculate the doubled point 2P. In step 503, the point 
20 P on the elliptic curve inputted into the scalar 

multiplication unit 103 and the point 2P obtained in 
the step 502 are stored as a set of points (P,2P). 
Here, the points P and 2P are represented by the 
projective coordinate- It is judged in step 504 
25 whether or not the variable I agrees with the bit 

length of the scalar value d. With agreement, m=d is 
satisfied, and the flow goes to step 514. With 
disagreement, the flow goes to step 505. The variable 



I is increased by 1 in the step 505, It is judged in 
step 506 whether the value of an I-th bit of the scalar 
value is 0 or 1, When the value of the bit is 0, the 
flow goes to the step 507. When the value of the bit 
5 is 1, the flow goes to step 510. In step 507, addition 
mP+(m+l)P of points mP and (ni+l)P is performed from the 
set of points (mP, (m+l)P) represented by the projective 
coordinate, and the point (2m+l)P is calculated. 
Thereafter, the flow goes to step 508. Here', the 

10 addition mP+(m+l)P is calculated using the addition 

formula in the projective coordinate of the Montgomery- 
form elliptic curve. In step 508, doubling 2 (mP) of 
the point mP is performed from the set of points 
(mP, (m+l)P) represented by the projective coordinate, 

15 and the point 2mP is calculated. Thereafter, the flow 
goes to step 509. Here, the doubling 2 (mP) is calcu- 
lated using the formula of doubling in the projective 
coordinate of the Montgomery- form elliptic curve. In 
the step 509, the point 2mP obtained in the step 508 

20 and the point (2m+l)P obtained in the step 507 are 

stored as the set of points (2mP, (2m+l)P) instead of 
the set of points (mP, (m+l)P). Thereafter, the flow 
returns to the step 504. Here, the points 2mP, 
(2m+l)P, mP, and (m+l)P are all represented in the 

25 projective coordinates. In step 510, addition 

mP+(m+l)P of the points mP, (m+l)P is performed from 
the set of points (mP, (m+l)P) represented ' by the 
projective coordinates, and the point (2m+l)P is 



::i O O ^"B-f J 2 ^it ^4- ^ O .3 13 *0 S 

65 

calculated- Thereafter, the flow goes to step 511. 
Here, the addition niP+(m+l)P is calculated using the 
addition formula in the projective coordinates of the 
Montgomery-form elliptic curve. In the step 511, 
5 doubling 2((m+l)P) of the point (m+l)P is performed 
from the set of points (mP, (m+l)P) represented by the 
projective coordinates, and the point (2m+2)P is 
calculated- Thereafter, the flow goes to step 512. 
Here, the doubling 2((m+l)P) is calculated using the 
10 formula of doubling in the projective coordinates of 
the Montgomery- form elliptic curve. In the step 512, 
the point (2m+l)P obtained in the step 510 and the 
point (2m+2)P obtained in the step 511 are stored as 
the set of points ((2m+l)P, {2m+2)P) instead of the set 
15 of points (mP, (m+l)P)- Thereafter, the flow returns to 
the step 504- Here, the points (2m+l)P, (2m+2)P, mP, 
and (m+l)P are all represented in the projective 
coordinates. In step 514, from the set of points 
(mP, (m+l)P) represented by the projective coordinates, 
20 X-coordinate X^.^ and Z-coordinate Z^.^ in the projective 
coordinates of the point (m-l)P are obtained as X^-i and 
Zd_i. Thereafter, the flow goes to step 513. In the 
step 513, X^ and are obtained as and Z^ from the 
point mP= (X^, Y^, Z^) represented by the projective 
25 coordinates, X^+i and Z^^^ are obtained as X^+i and Z^+i 

from the point (m+1 ) P= (X^,i, Y^^^, Z^^i) represented by the 
projective coordinates, and these are outputted 
together with X^.i and Z^.i- Here, Y^ and Y^^^ are not 



obtained, because Y-coordinate cannot be obtained by 
the addition and doubling formulae in the projective 
coordinates of the Montgomery- form elliptic curve. 
Moreover, by the aforementioned procedure, m and the 
5 scalar value d have an equal bit length and further 
have the same pattern of the bit, and are therefore 
equal- Moreover, when (m-l)P is obtained in the step 
514, Equations 10, 11 may be used. When m is an odd 
number, a value of ((m-l)/2)P is separately held in the 
10 step 512, and (m-l)P may be obtained from the value by 
the formula of doubling of the Montgomery- form elliptic 
curve . 

The computational amount of the addition 
formula in the projective coordinates of the 

15 Montgomery- form elliptic curve is 3M+2S with Z^^l. 

Here, M is the computational amount of multiplication 
on the finite field, and S is the computational amount 
of squaring on the finite field. The computational 
amount of the formula of doubling in the projective 

20 coordinates of the Montgomery-form elliptic curve is 
3M+2S. When the value of the I-th bit of the scalar 
value is 0, the computational amount of addition in the 
step 507, and the computational amount of doubling in 
the step 508 are required. That is, the computational 

25 amount of 6M+4S is required. When the value of the I- 
th bit of the scalar value is 1, the computational 
amount of addition in the step 510, and the computa- 
tional amount of doubling in the step 511 are required. 
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That is, the computational amount of 6M+4S is required. 
In any case, the computational amount of 6M+4S is 
required- The number of repetitions of the steps 504, 
505, 506, 507, 508, 509, or the steps 504, 505, 506, 
5 510, 511, 512 is (bit length of the scalar value d)-l. 
Therefore, in consideration of the computational amount 
of doubling in the step 502, and the computational 
amount necessary for calculating (m-l)P in the step 
514, the entire computational amount is (6M+4S)k+M. 
10 Here, k is the bit length of the scalar value d. In 

general, since the computational amount S is estimated 
to be of the order of S=0.8M, the entire computational 
amount is approximately (9.2k+l)M. For example, when 
the scalar value d indicates 160 bits (k-160), the 
15 computational amount of algorithm of the aforementioned 
procedure is about 1473 M. The computational amount 
per bit of the scalar value d is about 9.2 M. In A. 
Miyaji, T. One, H. Cohen, Efficient elliptic curve 
exponentiation using mixed coordinates, Advances in 
20 Cryptology Proceedings of ASIACRYPT' 98 , LNCS 1514 

(1998) pp. 51-65, the scalar multiplication method using 
the window method and mixed coordinates mainly includ- 
ing Jacobian coordinates in the Weierstrass-f orm 
elliptic curve is described as the fast scalar multi- 
25 plication method. In this case, the computational 

amount per bit of the scalar value is estimated to be 
about 10 M. For example, when the scalar value d 
indicates 160 bits (k=160), the computational amount of 



the scalar multiplication method is about 1600 M. 
Therefore, the algorithm of the aforementioned 
procedure can be said to have a small computational 
amount and high speed. 
5 Additionally, instead of using the afore- 

mentioned algorithm in the fast scalar multiplication 
unit 202, another algorithm may be used as long as the 
algorithm outputs X^^, Z^,, X^+i, Z^+i from the scalar value 
d and the point P on the Montgomery-form elliptic curve 

10 at high speed. 

The computational amount required for 
recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
12M+S+I, and this is far small as compared with the 

15 computational amount of (9.2k+l)M necessary for fast 

scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 

20 computational amount necessary for the fast scalar 

multiplication of the fast scalar multiplication unit. 
Assuming I=40M, S=0.8M, the computational amount can be 
estimated to be about ( 9 . 2k+53 . 8 ) M . For example, when 
the scalar value d indicates 160 bits (k=160) , the 

25 computational amount necessary for the scalar multipli- 
cation is about 1526 M. The Weierstrass-f orm elliptic 
curve is used as the elliptic curve, the scalar 
multiplication method is used in which the window 
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method and the mixed coordinates mainly including the 
Jacobian coordinates are used, and the scalar- 
multiplied point is outputted as the affine coordi- 
nates. In this case, the required computational amount 
5 is about 1640 M, and as compared with this, the 
required computational amount is reduced. 

In a fourth embodiment, the scalar multi- 
plication unit 103 calculates and outputs a scalar- 
multiplied point {X^fY^rZ^) with the complete coordinate 

10 given thereto as a point of the projective coordinates 
in the Montgomery- form elliptic curve from the scalar 
value d and the point P on the Montgomery- form elliptic 
curve. The scalar value d and the point P on the 
Montgomery-form elliptic curve are inputted into the 

15 scalar multiplication unit 103 and then received by the 
fast scalar multiplication unit 202. The fast scalar 
multiplication unit 202 calculates and in the 
coordinate of the scalar-multiplied point dP= (X^, Y^, Z^) 
represented by the projective coordinates in the 

20 Montgomery- form elliptic curve, X^^^ and Z^+i in the 
coordinate of the point (d+1 ) P= (X^+i, Y^+i, Z^+i) on the 
Montgomery- form elliptic curve represented by the 
projective coordinates, and the point (d-l)P= 
(Xd_i, Yd_i, Zd_i) on the Montgomery- form elliptic curve 

25 represented by the projective coordinates from the 

received scalar value d and the given point P on the 
Montgomery- form elliptic curve, and gives the informa- 
tion together with the inputted point P=(x,y) on the 
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Montgomery- form elliptic curve represented by the 
affine coordinates to the coordinate recovering unit 
203. The coordinate recovering unit 203 recovers 
coordinates X^, Y^, and of the scalar-multiplied point 
5 dP= (X^, Y^, Z^) represented by the projective coordinates 
in the Montgomery- form elliptic curve from the given 
coordinate values X^, Z^, X^+i, Z^+i/ X^-i, Z^-i/ x and y. 
The scalar multiplication unit 103 outputs the scalar- 
multiplied point (Xd,Yd,Zd) with the coordinate 

10 completely given thereto in the projective coordinates 
as the calculation result, 

A processing of the coordinate recovering 
unit which outputs X^, Y^, Z^ from the given coordinates 
X, y, Xd, Z^, X^^,, Xd_i, Zd-i will next be described 

15 with reference to FIG. 13. 

The coordinate recovering unit 203 inputs X^ 
and Z^ in the coordinate of the scalar-multiplied point 
dP= (Xd, Yd, Zd) represented by the projective coordinates 
in the Montgomery- form elliptic curve, X^+i and Z^+i in 

20 the coordinate of the point (d+1 ) P= (X^+i, Y^+i/ Zd+i) on the 
Montgomery- form elliptic curve represented by the 
projective coordinates, X^.i and Z^-i in the coordinate of 
the point (d-1 ) P= (Xd_i, Y^-i, Z^.i) on the Montgomery- form 
elliptic curve represented by the projective coordi- 

25 nates, and (x, y) as representation of the point P on 
the Montgomery- form elliptic curve inputted into the 
scalar multiplication unit 103 in the affine coordi- 
nates, and outputs the scalar-multiplied point (X^, Y^, Z^) 



± -O O ^4^^M Ei- *W '^4' ^ O 3 O O iuf 



with the complete coordinate given thereto in the 
projective coordinates in the following procedure. 
Here, the affine coordinate of the inputted point P on 
the Montgomery- form elliptic curve is represented by 
5 (x,y), and the projective coordinate thereof is 

represented by (Xi,Yi,Zi). Assuming that the inputted 
scalar value is d, the affine coordinate of the scalar- 
multiplied point dP in the Montgomery- form elliptic 
curve is represented by (x^, y^) , and the projective 

10 coordinate thereof is represented by {X^/Yd, Z^). The 
affine coordinate of the point (d-l)P on the 
Montgomery-form elliptic curve is represented by 
(Xd-i/ Yd-i) / and the projective coordinate thereof is 
represented by (X^.^, Y^.i, Z^.^ ) . The affine coordinate of 

15 the point (d+l)P on the Montgomery- form elliptic curve 
is represented by (x^+i^yd+i)/ and the projective coordi- 
nate thereof is represented by (X^+i/ Y^+i, Z^+i) . 

In step 1301 X^.-^xZ^+i is calculated, and stored 
in the register T^. In step 1302 Z^.^xX^+i is calculated, 

20 and stored in the register T2 . In step 1303 T1-T2 is 

calculated. Here, X^.^Z^+i is stored in the register T^, 
Zd-i^d+i is stored in the register T2, and Xd_iZd+i-Zd_iXd+i is 
therefore calculated. The result is stored in the 
register T^. In step 1304 Z^xx is calculated, and 

25 stored in the register T2 . In step 1305 Xd-T2 is calcu- 
lated. Here, Z^x is stored in the register Tj/ and X^- 
xZd is therefore calculated. The result is stored in 
the register T2 . In step 1306 a square of T2 is 
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calculated. Here, X^-xZ^ is stored in the register T2, 
and (X^-kZ^)^ is therefore calculated. The result is 
stored in the register T2. In step 1307 T1XT2 is 
calculated. Here, X^-iZd+i-Zd-iXd+i is stored in the 
5 register T^, (X^-xZ^) ^ is stored in the register T^r and 
therefore (X^-xZ^) ^X^-iZd+i-Z^.^Xd+i) is calculated. The 
result is stored in the register Y^. In step 1308 4Bxy 
is calculated. The result is stored in the register T2 . 
In step 1309 T2^'^d+i is calculated. Here, 4By is stored 

10 in the register T2, and 4ByZd+i is therefore calculated. 
The result is stored in the register T2 . In step 1310 
TsXZd-i is calculated. Here, 4ByZd+i is stored in the 
register T2, and 4ByZd+iZd_i is therefore calculated. The 
result is stored in the register T2 . In step 1311 T2xZd 

15 is calculated. Here, 4ByZ^+iZd_i is stored in the 

register T2, and 4ByZd+iZd-iZd is therefore calculated. 
The result is stored in the register T2 . In step 1312 
T2xXd is calculated- Here, 4ByZd+iZd_iZd is stored in the 
register T2, and 4ByZ^_,iZ^j_iZdXd is therefore calculated. 

20 The result is stored in the register X^. In step 1313 
T2xZd is calculated. Here, 4ByZd+iZd_iZd is stored in the 
register T2, and 4ByZ^+iZd-iZdZd is therefore calculated. 
The result is stored in Z^. Therefore, 4ByZ^+iZ^_-LZdZd is 
stored in Z^. In the step 1307 (X^-xZ^) ^ (X^-iZd+i-Zd-iX^^ J 

25 is stored in the register Y^, and is not updated 
thereafter, and therefore the value is held. 

A reason why all values in the projective 
coordinate (X^,Y^,Z^) of the scalar-multiplied point are 
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recovered from x, y, X^, Z^/ X^+i, Z^+i, X^.i, Z^-i given by 
the aforementioned procedure is as follows. The point 
(d+l)P is a point obtained by adding the point P to the 
point dP, and the point (d-l)P is a point obtained by 
5 subtracting the point P from the point dP. Thereby, 
Equation 7 can be obtained. The coordinate recovering 
unit 203 outputs (X^,Y^,Z^) as the complete coordinate 
represented by the projective coordinate of the scalar- 
multiplied point. 

10 Assignment to the addition formulae in the 

affine coordinates of the Montgomery- form elliptic 
curve results in Equations 6, 7. When the opposite 
sides are individually subjected to subtraction. 
Equation 8 is obtained. Therefore, Equation 9 results. 

15 Here, x^^X^Z^, yi^^i^X^^^/Z^^^, y^a-i=^^-i/^^-i^ The value is 
assigned and thereby converted to the value of the 
projective coordinate. Then, Equation 7 is obtained. 

Although x^^X^/Zd, reduction to the denominator 
common with that of y^ is performed, and thereby 

20 Equation 20 results. As a result, the following 
equation is obtained. 

= {^d-\^d+i ~~ ^d-\^d+i){^d ^ ^d^) 
. . . Equation 21 

Then, X^ and Z^ may be updated by the following 
25 equations, respectively. 
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4ByZ,,,Z,_,Z,X, 

. . . Equation 22 

. . . Equation 23 

5 Here, X^, Y^, are given by the processing of FIG. 13. 
Therefore, all the values of the projective coordinate 
(X^fY^fZ^) are recovered- 

For the aforementioned procedure, in the 
steps 1301, 1302, 1304, 1307, 1308, 1309, 1310, 1311, 

10 1312, and 1313, the computational amount of multipli- 
cation on the finite field is required. Moreover, the 
computational amount of squaring on the finite field is 
required in the step 1306. The computational amount of 
subtraction on the finite field is relatively small as 

15 compared with the computational amount of multiplica- 
tion on the finite field and the computational amount 
of squaring, and may therefore be ignored- Assuming 
that the computational amount of multiplication on the 
finite field is M, and the computational amount of 

20 squaring on the finite field is S, the above procedure 
requires a computational amount of lOM+S. This is far 
small as compared with the computational amount of the 
fast scalar multiplication. For example, when the 
scalar value d indicates 160 bits, the computational 

25 amount of the fast scalar multiplication is estimated 
to be a little less than about 1500 M. Assuming 
S=0.8M, the computational amount of coordinate 



recovering is 10.8 M, and far small as compared with 
the computational amount of the fast scalar multipli- 
cation. Therefore, it is indicated that the coordinate 
can efficiently be recovered. 

Additionally, even when the above procedure 
is not taken, the values of X^, Y^, given by the above 
equation can be calculated, and the values of X^/ Y^, Z^ 
can then be recovered. Moreover, the values of X^, Y^, 
Zd are selected so that x^, y^ take the values given by 
the aforementioned equations, the values can be 
calculated, and then X^, Y^, Z^ can be recovered. In 
this case, the computational amount required for 
recovering generally increases- Furthermore, when the 
value of B as the parameter of the elliptic curve is 
set to be small, the computational amount of multipli- 
cation in the step 1308 can be reduced. 

An algorithm which outputs X^, Z^, X^+if Z^+i, 
^d-i/ Z^.i from the scalar value d and the point P on the 
Montgomery- form elliptic curve will next be described. 

The fast scalar multiplication method of the 
third embodiment is used as the fast scalar multipli- 
cation method of the fast scalar multiplication unit 
202 of the fourth embodiment. Thereby, as the 
algorithm which outputs X^, Z^/ X^+i, Z^+i, X^-i/ Z^.i from 
the scalar value d and the point P on the Montgomery- 
form elliptic curve, the fast algorithm is achieved. 
Additionally, instead of using the aforementioned 
algorithm in the fast scalar multiplication unit 202, 
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another algorithm may be used as long as the algorithm 
outputs Xd, X^+i^ ZdH-i/ Xd_i, Zd_i from the scalar value 

d and the point P on the Montgomery- form elliptic curve 
at high speed. 
5 The computational amount required for 

recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
lOM+S, and this is far small as compared with the 
computational amount of {9.2k+l)M necessary for fast 

10 scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 
computational amount necessary for the fast scalar 

15 multiplication of the fast scalar multiplication unit. 
Assuming S=0,8M, the computational amount can be 
estimated to be about ( 9 . 2k+ll . 8 ) M. For example, when 
the scalar value d indicates 160 bits (k=160) , the 
computational amount necessary for the scalar multipli- 

20 cation is 1484 M. The Weierstrass-f orm elliptic curve 
is used as the elliptic curve, the scalar multipli- 
cation method is used in which the window method and 
the mixed coordinates mainly including the Jacobian 
coordinates are used, and the scalar-multiplied point 

25 is outputted as the Jacobian coordinates. In this 

case, the required computational amount is about 1600 
M, and as compared with this, the required computa- 
tional amount is reduced. 
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In a fifth embodiment, the scalar multi- 
plication unit 103 calculates and outputs a scalar- 
multiplied point (x^^Yd) with the complete coordinate 
given thereto as a point of the affine coordinates in 
5 the Montgomery- form elliptic curve from the scalar 

value d and the point P on the Montgomery-form elliptic 
curve. The scalar value d and the point P on the 
Montgomery- form elliptic curve are inputted into the 
scalar multiplication unit 103 and then received by the 

10 fast scalar multiplication unit 202. The fast scalar 
multiplication unit 202 calculates in the coordinate 
of the scalar-multiplied point dP= (x^/ Yd) represented by 
the affine coordinates in the Montgomery- form elliptic 
curve, x^+i in the coordinate of the point (d+l)P= 

15 (Xd+i,yd+i) on the Montgomery- form elliptic curve 

represented by the afffine coordinates, and x^-i in the 
coordinate of the point (d-l) P= (Xd_i, Yd-i) on the 
Montgomery-form elliptic curve represented by the 
affine coordinates from the received scalar value d and 

2 0 the given point P on the Montgomery- form elliptic 
curve, and gives the information together with the 
inputted point P=(x,y) on the Montgomery- form elliptic 
curve represented by the affine coordinates to the 
coordinate recovering unit 203. The coordinate 

25 recovering unit 203 recovers coordinates yd of the 

scalar-multiplied point dP=(Xd,yd/) represented by the 
affine coordinates in the Montgomery- form elliptic 
curve from the given coordinate values x^, ^d+if ^d-i/ ^ 



and y. The scalar multiplication unit 103 outputs the 
scalar-multiplied point (Xd/Yd) with the coordinate 
completely given thereto in the affine coordinates as 
the calculation result. 
5 A processing of the coordinate recovering 

unit which outputs x^, from the given coordinates x, 
y, Xd+i/ Xd_i will next be described with reference to 
FIG. 26. 

The coordinate recovering unit 203 inputs x^ 

10 in the coordinate of the scalar-multiplied point 

dP=(Xd,yd) represented by the affine coordinates in the 
Montgomery- form elliptic curve, Xd-,i in the coordinate of 
the point (d+1 ) P= (x^+i, Ydn-i) on the Montgomery- form 
elliptic curve represented by the affine coordinates, 

15 Xd_i in the coordinate of the point (d-1 ) P= (Xd-i/ Yd-i) on 
the Montgomery- form elliptic curve represented by the 
affine coordinates, and (x,y) as representation of the 
point P on the Montgomery-form elliptic curve inputted 
into the scalar multiplication unit 103 in the affine 

20 coordinates, and outputs the scalar-multiplied point 
(Xd, Yd) with the complete coordinate given thereto in 
the affine coordinates in the following procedure. 

In step 2601 Xd-x is calculated, and stored in 
the register T^ . In step 2602 a square of T^, that is, 

25 (Xd-x)^ is calculated, and stored in the register T^. In 
step 2 603 Xd.i-Xd+i is calculated, and stored in the 
register T2 . In step 2604 T^xTa is calculated. Here, 
(Xd-x)^ is stored in the register T^, Xd^i-Xd+i is stored 



in the register T2, and therefore (Xd^x) ^ (Xd-i-x^+i) is 
calculated. The result is stored in the register . 
In step 2605 4Bxy is calculated, and stored in the 
register T2 . In step 2606 an inverse element of T2 is 
5 calculated. Here, 4By is stored in the register T2/ and 
l/4By is therefore calculated. The result is stored in 
the register T2 . In step 2607 T1XT2 is calculated. 
Here, (x^-x) ^ (Xd-i-x^+i) is stored in the register T^, 
l/4By is stored in the register T2, and (x^-x) ^ (x^-i- 

10 Xd+i) /4By is therefore calculated. The result is stored 
in register y^. Therefore, (x^-x) ^ (x^-i-x^+i) /4By is 
stored in the register y^. Since register x^ is not 
updated, the inputted value is held. 

A reason why the y coordinate y^ of the 

15 scalar-multiplied point is recovered by the afore- 
mentioned procedure is as follows. Additionally, the 
point {d+l)P is a point obtained by adding the point P 
to the point dP, and the point (d-l)P is a point 
obtained by subtracting the point P from the point dP . 

20 Thereby, assignment to the addition formulae in the 
affine coordinates of the Montgomery- form elliptic 
curve results in Equations 6, 7. 

When the opposite sides are individually 
subjected to subtraction. Equation 8 is obtained. 

25 Therefore, Equation 9 results. 

Here, x^, y^ are given by the processing of 
FIG. 26. Therefore, all the values of the affine 
coordinate i^^df Va) recovered. 
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For the aforementioned procedure, in the 
steps 2604, 2605, and 2607, the computational amount of 
multiplication on the finite field is required. 
Moreover, the computational amount of squaring on the 
5 finite field is required in the step 2602. Further- 
more, the computational amount of inversion on the 
finite field is required in the step 2606. The 
computational amount of subtraction on the finite field 
is relatively small as compared with the computational 

10 amounts of multiplication on the finite field, squar- 
ing, and inversion, and may therefore be ignored. 
Assuming that the computational amount of multiplica- 
tion on the finite field is M, the computational amount 
of squaring on the finite field is S, and the computa- 

15 tional amount of inversion on the finite field is I, 

the above procedure requires a computational amount of 
3M+S+I. This is far small as compared with the 
computational amount of the fast scalar multiplication. 
For example, when the scalar value d indicates 160 

20 bits, the computational amount of the fast scalar 

multiplication is estimated to be a little less than 
about 1500 M. Assuming S=0.8M and 1=4 OM, the computa- 
tional amount of coordinate recovering is 43.8 M, and 
far small as compared with the computational amount of 

25 the fast scalar multiplication. Therefore, it is 
indicated that the coordinate can efficiently be 
recovered . 

Additionally, even when the above procedure 
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is not taken, and when the value of the right side of 
the equation can be calculated, the value of can be 
recovered- In this case, the computational amount 
required for recovering generally increases. Further- 
5 more, when the value of B as the parameter of the 

elliptic curve is set to be small, the computational 
amount of multiplication in the step 2605 can be 
reduced. 

A processing of the fast scalar multiplica- 

10 tion unit which outputs x^, x^-^^, x^.i from the scalar 

value d and the point P on the Montgomery-form elliptic 
curve will next be described with reference to FIG. 6. 

The fast scalar multiplication unit 202 
inputs the point P on the Montgomery-form elliptic 

15 curve inputted into the scalar multiplication unit 103, 
and outputs x^ in the scalar-multiplied point dP=(x,i,yd) 
represented by the affine coordinate in the Montgomery- 
form elliptic curve, x^+i in the point (d+1 ) P= (x^+i/ yd+i) 
on the Montgomery- form elliptic curve represented by 

20 the affine coordinate, and x^^^ in the point (d-l)P= 
(^d-i/Yd-i) on the Montgomery- form elliptic curve 
represented by the affine coordinate by the following 
procedure. In step 601, the initial value 1 is 
assigned to the variable I. The doubled point 2P of 

25 the point P is calculated in step 602. Here, the point 
P is represented as (x,y, 1) in the projective coordi- 
nate, and the formula of doubling in the projective 
coordinate of the Montgomery-form elliptic curve is 
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used to calculate the doubled point 2P. In step 603, 
the point P on the elliptic curve inputted into the 
scalar multiplication unit 103 and the point 2P 
obtained in the step 602 are stored as a set of points 
5 (P,2P). Here, the points P and 2P are represented by 
the projective coordinate. It is judged in step 604 
whether or not the variable I agrees with the bit 
length of the scalar value d. With agreement, the flow 
goes to step 614. With disagreement, the flow goes to 

10 step 605. The variable I is increased by 1 in the step 
605. It is judged in step 606 whether the value of the 
I-th bit of the scalar value is 0 or 1. When the value 
of the bit is 0, the flow goes to the step 607. When 
the value of the bit is 1, the flow goes to step 610. 

15 In step 607, addition mP+(m+l)P of points mP and (m+l)P 
is performed from the set of points (mP, (m+l)P) 
represented by the projective coordinate, and the point 
(2m+l)P is calculated. Thereafter, the flow goes to 
step 608. Here, the addition mP+(m+l)P is calculated 

20 using the addition formula in the projective coordinate 
of the Montgomery- form elliptic curve. In step 608, 
doubling 2(mP) of the point mP is performed from the 
set of points (mP, (m+l)P) represented by the projective 
coordinate, and the point 2mP is calculated. There- 

25 after, the flow goes to step 609. Here, the doubling 
2 (mP) is calculated using the formula of doubling in 
the projective coordinate of the Montgomery- form 
elliptic curve. In the step 609, the point 2mP 



. Jv O 0"^"^^'A^ ittSr '£m * O >S 3 O 'u3 S 



obtained in the step 608 and the point {2m+l)P obtained 
in the step 607 are stored as the set of points (2inP, 
(2m+l)P) instead of the set of points (mP, (m+l)P). 
Thereafter, the flow returns to the step 604. Here, 
5 the points 2mP, (2in+l)P, mP, and (m+l)P are all 

represented in the projective coordinates- In step 
610, addition mP+(in+l)P of the points mP, (m+l)P is 
performed from the set of points (mP, (m+l)P) 
represented by the projective coordinates, and the 

10 point (2m+l)P is calculated. Thereafter, the flow goes 
to step 611. Here, the addition mP+(m+l)P is calcu- 
lated using the addition formula in the projective 
coordinates of the Montgomery-form elliptic curve • In 
the step 611, doubling 2({m+l)P) of the point (m+l)P is 

15 performed from the set of points (mP, (m+l)P) 

represented by the projective coordinates, and the 
point (2m+2)P is calculated. Thereafter, the flow goes 
to step 612. Here, the doubling 2((m+l)P) is calcu- 
lated using the formula of doubling in the projective 

20 coordinates of the Montgomery- form elliptic curve. In 
the step 612, the point (2m+l)P obtained in the step 
610 and the point (2m+2)P obtained in the step 611 are 
stored as the set of points ( (2m+l) P, (2m+2 ) P) instead 
of the set of points (mP, (m+l)P). Thereafter, the flow 

25 returns to the step 604. Here, the points (2m+l)P, 
(2m+2)P, mP, and (m+l)P are all represented in the 
projective coordinates. In step 614, from the set of 
points (mP, (m+l)P) represented by the projective 
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coordinates^ X-coordinate X^^.^ and Z-coordinate Z^^i in 
the projective coordinates of the point {m-l)P are 
obtained as X^.^ and Z^.^. Thereafter, the flow goes to 
step 615. In the step 615, X^^ and Z^^ are obtained as X^ 
5 and Z^ from the point iaP= (X„, Y^, Z^) represented by the 
projective coordinates, and X^^+i and Zj^+i are obtained as 
Xd+i and Zd+i from the point (m+1 ) P= (X^+i, Y^^.i, Z^^i) 
represented by the projective coordinates. Here, and 
Yj^+i are not obtained, because Y-coordinate cannot be 
10 obtained by the addition and doubling formulae in the 
projective coordinates of the Montgomery- form elliptic 
curve. From X^-i, Z^.^, X^, Z^, X^+i, and Z^+i, x^-i/ x^/ x^+i 
are obtained as follows. 

^rf-l ~ ^ d-\Z dZ d+\ I Z d-\Z ^^y^ 

15 - - , Equation 24 

— Z d-\^ dZ d+\ f Z d~\Z dZ a+\ 
. . . Equation 25 

^d+\ ~ Z d-\Z d^ d^\ I Z d~\Z dZ d-^\ 
. . . Equation 2 6 

20 Thereafter, the flow goes to step 613. In the step 
613, x^_i, x^, x^+i are outputted. In the above 
procedure, m and scalar value d are equal in the bit 
length and bit pattern, and are therefore equal. 
Moreover, when (m-l)P is obtained in step 614, it may 

25 be obtained by Equations 13, 14. If m is an odd 

number, a value of {(m-l)/2)P is separately held in the 
step 612, and (m-l)P may be obtained from the value by 
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the doubling formula of the Montgomery- form elliptic 
curve . 

The computational amount of the addition 
formula in the projective coordinates of the 
5 Montgomery-form elliptic curve is 3M-f2S with Z^^l . 

Here, M is the computational amount of multiplication 
on the finite field, and S is the computational amount 
of squaring on the finite field. The computational 
amount of the formula of doubling in the projective 

10 coordinates of the Montgomery-form elliptic curve is 
3M+2S. When the value of the I-th bit of the scalar 
value is 0, the computational amount of addition in the 
step 607, and the computational amount of doubling in 
the step 608 are required. That is, the computational 

15 amount of 6M+4S is required. When the value of the I- 
th bit of the scalar value is 1, the computational 
amount of addition in the step 610, and the computa- 
tional amount of doubling in the step 611 are required. 
That is, the computational amount of 6M+4S is required. 

20 In any case, the computational amount of 6M+4S is 

required. The number of repetitions of the steps 604, 
605, 606, 607, 608, 609, or the steps 604, 605, 606, 
610, 611, 612 is (bit length of the scalar value d)-l. 
Therefore, in consideration of the computational amount 

25 of doubling in the step 602, the computational amount 
necessary for calculating (m-l)P in the step 614, and 
the computational amount of transform to the affine 
coordinate, the entire computational amount is 
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(6M-f4S) k+llM-f I . Here, k is the bit length of the 
scalar value d. In general, since the computational 
amount S is estimated to be of the order of S=0.8 M, 
and the computational amount I is estimated to be of 
5 the order of 1=40 M, the entire computational amount is 
approximately {9.2k4-51)M. For example, when the scalar 
value d indicates 160 bits (k=160), the computational 
amount of algorithm of the aforementioned procedure is 
about 152 3 M. The computational amount per bit of the 
10 scalar value d is about 9.2 M. In A. Miyaji, T. Ono, 

H. Cohen, Efficient elliptic curve exponentiation using 
mixed coordinates. Advances in Cryptology Proceedings 
of ASIACRYPT' 98, LNCS 1514 (1998) pp. 51-65, the scalar 
multiplication method using the window method and mixed 
15 coordinates mainly including Jacobian coordinates in 

the Weierstrass-form elliptic curve is described as the 
fast scalar multiplication method. In this case, the 
computational amount per bit of the scalar value is 
estimated to be about 10 M, and additionally the 
20 computational amount of the transform to the affine 

coordinates is required. For example, when the scalar 
value d indicates 160 bits (k=160) , the computational 
amount of the scalar multiplication method is about 
1650 M. Therefore, the algorithm of the aforementioned 
25 procedure can be said to have a small computational 
amount and high speed. 

Additionally, instead of using the afore- 
mentioned algorithm in the fast scalar multiplication 
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unit 202, another algorithm may be used as long as the 
algorithm outputs x^, x^+if x^-i from the scalar value d 
and the point P on the Montgomery-form elliptic curve 
at high speed. 
5 The computational amount required for 

recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
3M+S+I, and this is far small as compared with the 
computational amount of (9.2k+51)M necessary for fast 

10 scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 
computational amount necessary for the fast scalar 

15 multiplication of the fast scalar multiplication unit. 
Assuming S=0.8M and I=40M, the computational amount can 
be estimated to be about ( 9 . 2k+94 . 8 ) M. For example, 
when the scalar value d indicates 160 bits (k=160), the 
computational amount necessary for the scalar multipli- 

20 cation is about 1567 M. The Weierstrass-f orm elliptic 
curve is used as the elliptic curve, the scalar 
multiplication method is used in which the window 
method and the mixed coordinates mainly including the 
Jacobian coordinates are used, and the scalar- 

25 multiplied point is outputted as the affine coordi- 
nates. In this case, the required computational amount 
is about 1640 M, and as compared with this, the 
required computational amount is reduced. 
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In a sixth embodiment, the Weierstrass-f orm 
elliptic curve is used as the elliptic curve. That is, 
the elliptic curve for use in input/output of the 
scalar multiplication unit 103 is the Weierstrass-f orm 
5 elliptic curve. Additionally, as the elliptic curve 
used in internal calculation of the scalar multipli- 
cation unit 103, the Montgomery- form elliptic curve to 
which the given Weierstrass-f orm elliptic curve can be 
transformed may be used. The scalar multiplication 

10 unit 103 calculates a scalar-multiplied point (x^, yd) 

with the complete coordinate given thereto as the point 
of the affine coordinates in the Weierstrass-f orm 
elliptic curve from the scalar value d and the point P 
on the Weierstrass-f orm elliptic curve. The scalar 

15 value d and the point P on the Weierstrass-f orm 

elliptic curve are inputted into the scalar multipli- 
cation unit 103, and received by the scalar multiplica- 
tion unit 202. The fast scalar multiplication unit 202 
calculates and in the coordinate of the scalar- 

20 multiplied point dP= (X^, Y^, Z^) represented by the projec- 
tive coordinates in the Weierstrass-f orm elliptic 
curve, X^+i and Z^+i in the coordinate of the point 
(d+1) P= (Xd-,1, Yd+i, Zd+i) on the Weierstrass-f orm elliptic 
curve represented by the projective coordinates, and X^-i 

25 and Z^.i in the coordinate of the point (d-l)P= 

(Xd-iA Yd.i, Zd_i) on the Weierstrass-f orm elliptic curve 
represented by the projective coordinates from the 
received scalar value d and the given point P on the 
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Weierstrass-f orm elliptic curve, and gives the informa- 
tion together with the inputted point P={x,y) on the 
Weierstrass-f orm elliptic curve represented by the 
affine coordinates to the coordinate recovering unit 
5 203. The coordinate recovering unit 203 recovers 
coordinates and of the scalar-multiplied point 
dP=(Xd,yd) represented by the affine coordinates in the 
Weierstrass-f orm elliptic curve from the given 
coordinate values X^, Z^^ ^d+if ^d+if ^d-i/ ^d-if ^ ^^id y. 

10 The scalar multiplication unit 103 outputs the scalar- 
multiplied point (Xd,yd) with the coordinate completely 
given thereto in the affine coordinates as the calcula- 
tion result. 

A processing of the coordinate recovering 

15 unit which outputs x^, y^ from the given coordinates x, 
y, Xd+i, Zd+i/ Xd_i/ Zd_i will next be described with 

reference to FIG. 14. 

The coordinate recovering unit 203 inputs X^ 
and Zd in the coordinate of the scalar-multiplied point 

20 dP= (Xd, Yd, Zd) represented by the projective coordinates 
in the Weierstrass-f orm elliptic curve, X^+i and Z^+i in 
the coordinate of the point (d+1 ) P= (Xd+i, Y^+i, Z^+i) on the 
Weierstrass-f orm elliptic curve represented by the 
projective coordinates, X^.i and Z^.i in the coordinate of 

25 the point (d-1 ) P= (X^-i, Y^.i, Z^.J on the Weierstrass-f orm 
elliptic curve represented by the projective coordi- 
nates, and (x,y) as representation of the point P on 
the Weierstrass-f orm elliptic curve inputted into the 
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scalar multiplication unit 103 in the affine coordi- 
nates, and outputs the scalar-multiplied point (Xd,Yd) 
with the complete coordinate given thereto in the 
affine coordinates in the following procedure. Here, 
5 the affine coordinate of the inputted point P on the 
Weierstrass-f orm elliptic curve is represented by 
(x,y), and the projective coordinate thereof is 
represented by (Xi^Yi^ZJ. Assuming that the inputted 
scalar value is d, the affine coordinate of the scalar- 

10 multiplied point dP in the Weierstrass-f orm elliptic 
curve is represented by (Xd,yd)/ and the projective 
coordinate thereof is represented by (X^fY^.Z^). The 
affine coordinate of the point (d-l)P on the 
Weierstrass-f orm elliptic curve is represented by 

15 (Xd-i,yd-i)f and the projective coordinate thereof is 

represented by (X^.i, Y^.i, Z^-i) . The affine coordinate of 
the point (d+l)P on the Weierstrass-f orm elliptic curve 
is represented by {Xci+ifYd+i)f and the projective 
coordinate thereof is represented by (X^+i, Y^+i, Z^+i) - 

20 In step 1401 Xd-iXZ^+i is calculated, and stored 

in the register T^. In step 1402 Z^.^xX^^^ is calculated, 
and stored in the register T2 . In step 1403 T1-T2 is 
calculated. Here, X^-iZ^.^ is stored in the register T^, 
Zd-i^d+i is stored in the register T2, and Xd-iZ^+i-Zd-iXd+i is 

25 therefore calculated. The result is stored in the 
register T^. In step 1404 Z^xx is calculated, and 
stored in, the register T2 . In step 1405 X^-T^ is 
calculated. Here, Z^x is stored in the register T2, and 



L% *0 f S .& *^4- w O 3 'O H" 



Xrf-xZd is therefore calculated. The result is stored in 
the register T2 . In step 1406 a square of is calcu- 
lated. Here, X^-xZ^ is stored in the register T2, and 
(Xd"XZd)^ is therefore calculated. The result is stored 
5 in the register T2 . In step 1407 T^xTs is calculated. 
Here, Xd-iZd+i-Z^-iXd+i is stored in the register T^, (X^- 
xZ^)^ is stored in the register T2, and therefore (X^- 
xZ^) ^ (Xd_iZd+i~Zrf_iXd+i) is calculated. The result is stored 
in the register T^. In step 1408 4xy is calculated. 

10 The result is stored in the register T2 . In step 1409 
T2xZd+i is calculated. Here, 4y is stored in the 
register T2, and 4yZd+i is therefore calculated. The 
result is stored in the register T2 . In step 1410 T2xZd_3 
is calculated. Here, ^yZ^^^ is stored in the register 

15 T2, and ^yZ^^^Z^.^ is therefore calculated. The result is 
stored in the register T2 . In step 1411 TsXZ^ is 
calculated. Here, ^yZ^^^Z^.^ is stored in the register 
T2, and 4yZd^iZd_,Z^ is therefore calculated- The result 
is stored in the register T2 . In step 1412 T2xXd is 

20 calculated. Here, 4yZd+iZd_iZd is stored in the register 
T2, and 4yZd^iZd-iZ^Xd is therefore calculated. The result 
is stored in the register T3 . In step 1413 T2xZd is 
calculated. Here, 4yZ^_iZd+iZ^ is stored in the register 
T2, and 4yZd^.iZd_iZdZ^ is therefore calculated. The result 

25 is stored in T2 . In step 1414, the inverse element of 
the register Tg is calculated. Here, 4yZd^.iZd_iZdZd is 
stored in the register T2. Therefore, l/4yZd4.iZd_iZdZd is 
calculated. The result is stored in the register T2. 
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In step 1415 T2XT3 is calculated. Here, l/4yZd+iZd_iZdZd is 
stored in the register T2, and ^yZ^-iZd+iZ^Xd is stored in 
the register T3 . Therefore, i^yZ^+iZ^^^Z^X^) / {iYZ^^:,Z^.^Z^Z^) 
is calculated. The result is stored in the register x^^. 
5 In step 1416 T1XT2 is calculated. Here, the register T^ 
stores (Xrf-xZd) ^ (Xd.iZd+i-Zd_iXd+i) and the register T2 stores 
1/ 4yZcn.iZd-iZj3Zc[ - Therefore, (X^^.^^Zd+i^Zci.iXjj+j^ ) (X^-Z^x)V 
4yZd^iZd-iZ/ is calculated. The result is stored in the 
register y^. Therefore, the register y^ stores {X^_^Z^+^- 

10 Z^.iXd,J (X^-Z^x) V4yZd-lZd^lZ^^ In step 1415 { 4yZd_,Zd,iZdXJ / 
(4yZd_iZd+iZdZd) is stored in the register x^^, and is not 
updated thereafter, and therefore the value is held. 

A reason why all values in the affine 
coordinate (Xd,yd) of the scalar-multiplied point are 

15 recovered from x, y, X^, Z^, X^+i, Z^+i, X^-i, Z^_^ given by 
the aforementioned procedure is as follows. The point 
(d+l)P is a point obtained by adding the point P to the 
point dP, and the point (d-l)P is a point obtained by 
subtracting the point P from the point dP. Assignment 

20 to addition formulae in the affine coordinates of the 
Weierstrass-form elliptic curve results in the 
following equations . 

(x + + x^^,){x^ - xf = (y, - yf 
. . . Equation 27 
25 (x + x,+ x^_,){x^ - xf = (y, + yf 

. . . Equation 2 8 

When opposite sides are individually subjected to 
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subtraction, the following equation is obtained. 

, . . Equation 29 
Therefore, the following results. 

5 y^= {x^-i - x^^, ){x^ - xf I Ay 

. . . Equation 30 

Here, Xd=Xd/Zd, Xd+i=Xd+i/Zd+i, Xd_i=Xd_i/Zd-i . The value is 
assigned and thereby converted to a value of the 
projective coordinate. Then, the following equation is 
10 obtained. 

. . . Equation 31 

Although y^^^X^/Z^, reduction to a denominator common with 
that of Yd is performed for a purpose of reducing a 
15 frequency of inversion, and the following equation is 
obtained. 



AyZ,^,Z,_,Z,X, 
. - . Equation 32 



Here, x^, are given by the processing of FIG. 14. 
20 Therefore, all the values of the affine coordinate 
(Xd/yd) recovered. 

For the aforementioned procedure, in the 
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steps 1401, 1402, 1404, 1407, 1409, 1410, 1411, 1412, 
1413, 1415, and 1416, the computational amount of 
multiplication on the finite field is required. 
Moreover, in the multiplication in the step 1408, since 
5 the value of the multiplicand is small as 4, the 

computational amount is relatively small as compared 
with the computational amount of usual multiplication, 
and may be ignored. Moreover, in the step 1406 the 
computational amount of squaring on the finite field is 

10 required. Furthermore, in the step 1414, the computa- 
tional amount of the inversion on the finite field is 
required. The computational amount of subtraction on 
the finite field is relatively small as compared with 
the computational amounts of multiplication on the 

15 finite field, squaring, and inversion, and may there- 
fore be ignored. Assuming that the computational 
amount of multiplication on the finite field is M, the 
computational amount of squaring on the finite field is 
S, and the computational amount of inversion on the 

20 finite field is I, the above procedure requires a 

computational amount of IIM+S+I. This is very small as 
compared with the computational amount of fast scalar 
multiplication. For example, when the scalar value d 
indicates 160 bits, the computational amount of the 

25 fast scalar multiplication is estimated to be a little 
less than about 1500 M. Assuming S=0.8 M, 1=40 M, the 
computational amount of coordinate recovering is 51.8 
M, and this is very small as compared with the 



:i G O H" ^"ii E £ju ^ >J -3 OCii E 



computational amount of the fast scalar multiplication. 
Therefore, it is indicated that the coordinate can 
efficiently be recovered. 

Additionally, even when the above procedure 
5 is not taken, the values of x^, yd given by the above 

equation can be calculated, and the values of x^, y^ can 
then be recovered. In this case, the computational 
amount necessary for the recovering generally 
increases . 

10 A processing of the fast scalar multiplica- 

tion unit which outputs X^, Z^, X^+i, Z^+i, X^.^, Z^_^ from 
the scalar value d and the point P on the Weierstrass- 
form elliptic curve will next be described with 
reference to FIG. 7. 

15 The fast scalar multiplication unit 202 

inputs the point P on the Weierstrass-f orm elliptic 
curve inputted into the scalar multiplication unit 103, 
and outputs and in the scalar-multiplied point 
clP= (Xd, Yd, Zd) represented by the projective coordinate in 

20 the Weierstrass-form elliptic curve, Xd+i and Z^+i in the 
point (d+1) P= (Xd+i, Yd+i, Zd^-i) on the Weierstrass-form 
elliptic curve represented by the projective coordi- 
nate, and Xd_i and Z^.^ in the point (d-1 ) P= {Xd_i, Yd_i, Zd_i ) 
on the Weierstrass-form elliptic curve represented by 

25 the projective coordinate by the following procedure. 
In step 716^ the given point P on the Weierstrass-form 
elliptic curve is transformed to the point represented 
by the projective coordinates on the Montgomery- form 
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elliptic curve. This point is set anew as point P. In 
step 701, the initial value 1 is assigned to the 
variable I, A doubled point 2P of the point P is 
calculated in step 702. Here, the point P is 
5 represented as (x,y, 1) in the projective coordinate, 
and a formula of doubling in the projective coordinate 
of the Montgomery- form elliptic curve is used to 
calculate the doubled point 2P. In step 703, the point 
P on the elliptic curve inputted into the scalar 

10 multiplication unit 103 and the point 2P obtained in 
the step 702 are stored as a set of points (P,2P). 
Here, the points P and 2P are represented by the 
projective coordinate. It is judged in step 704 
whether or not the variable I agrees with the bit 

15 length of the scalar value d. With agreement, the flow 
goes to step 714, With disagreement, the flow goes to 
step 705. The variable I is increased by 1 in the step 
705. It is judged in step 706 whether the value of the 
I-th bit of the scalar value is 0 or 1 . When the value 

20 of the bit is 0, the flow goes to the step 707. When 
the value of the bit is 1, the flow goes to step 710. 
In step 707, addition mP+(m+l)P of points mP and (m+l)P 
is performed from a set of points (mP, (m+l)P) 
represented by the projective coordinate, and a point 

25 (2m+l)P is calculated. Thereafter, the flow goes to 
step 708. Here, the addition mP+(m+l)P is calculated 
using the addition formula in the projective coordinate 
of the Montgomery- form elliptic curve. In step 708, 



doubling 2 (mP) of the point mP is performed from the 
set of points (mP, (m+l)P) represented by the projective 
coordinate, and the point 2mP is calculated- There- 
after, the flow goes to step 709. Here, the doubling 
5 2 (mP) is calculated using the formula of doubling in 
the projective coordinate of the Montgomery- form 
elliptic curve. In the step 709, the point 2mP 
obtained in the step 708 and the point (2m+l)P obtained 
in the step 707 are stored as a set of points (2mP, 

10 (2m+l)P) instead of the set of points (mP, (m+l)P). 
Thereafter, the flow returns to the step 704. Here, 
the points 2mP, {2m+l)P, mP, and (m+l)P are all 
represented in the projective coordinates. In step 
710, addition mP+(m+l)P of the points mP, (m+l)P is 

15 performed from the set of points (mP, (m+l)P) 

represented by the projective coordinates, and the 
point (2m+l)P is calculated. Thereafter, the flow goes 
to step 711. Here, the addition mP+(m4-l)P is calcu- 
lated using the addition formula in the projective 

20 coordinates of the Montgomery- form elliptic curve. In 
the step 711, doubling 2((m+l)P) of the point (m+l)P is 
performed from the set of points (mP, (m+l)P) 
represented by the projective coordinates, and a point 
{2m+2)P is calculated. Thereafter, the flow goes to 

25 step 712. Here, the doubling 2({m+l)P) is calculated 
using the formula of doubling in the projective coordi- 
nates of the Montgomery-form elliptic curve. In the 
step 712, the point (2m+l)P obtained in the step 710 
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and the point (2m+2)P obtained in the step 711 are 
stored as a set of points ( {2m+l ) (2m+2 ) P) instead of 
the set of points (mP, (m+DP). Thereafter, the flow 
returns to the step 704. Here, the points (2m+l)P, 
5 (2m+2)P, mP, and {m+l)P are all represented in the 

projective coordinates. In step 714, from the set of 
points (mP, (m+l)P) represented by the projective 
coordinates, X-coordinate X^.^ and Z-coordinate Z^_i are 
obtained in the projective coordinates of the point (m- 

10 1)P. Thereafter, the flow goes to step 715. In the 
step 715, the point (m-l)P in the Montgomery- form 
elliptic curve is transformed to the point represented 
by the projective coordinates on the Weierstrass-f orm 
elliptic curve. The X-coordinate and Z~coordinate of 

15 the point are set anew to X^.i and Z^.^ . With respect to 
the set of points (mP, (m+l)p) represented by the 
projective coordinates in the Montgomery-form elliptic 
curve, the points mP and (m+l)P are transformed to 
points represented by the projective coordinates on the 

20 Weierstrass-f orm elliptic curve. The respective points 
are replaced as mP=(X,,Y,,ZJ and (m+1 ) P= (X,,,, Y,,,, Z,,,) . 
Here, since the Y-coordinate cannot be obtained by the 
addition and doubling formulae in the projective 
coordinates of the Montgomery- form elliptic curve, Y^ 

25 and Y^^^^ are not obtained. In step 713, X-coordinate X^_i 
and Z-coordinate Z^_^ of the point (m-l)P represented by 
the projective coordinates on the Weierstrass-f orm 
elliptic curve are outputted as X^.i, Z^-i/ X^ and Z^ are 
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outputted as X^, from the point mP= (X^, Y^, Z^) 
represented by the projective coordinates on the 
Weierstrass-form elliptic curve, and X^^^ and Z^^.^ are 
outputted as X^,,, Z^,, from the point (m+l) P= (X^^^, Y..^, Z,,J 
5 represented by the projective coordinates on the 
Weierstrass-form elliptic curve. In the above 
procedure, m and scalar value d are equal in the bit 
length and bit pattern, and are therefore equal. 
Moreover, when (m-l)P is obtained in step 714, it may 
10 be obtained by Equations 13, 14. If m is an odd 

number, a value of {{m~l)/2)P is separately held in the 
step 712, and (m-l)P may be obtained from the value by 
the doubling formula of the Montgomery- form elliptic 
curve . 

15 The computational amount of the addition 

formula in the projective coordinates of the 
Montgomery- form elliptic curve is 3M+2S with Z^-l . 
Here, M is the computational amount of multiplication 
on the finite field, and S is the computational amount 

20 of squaring on the finite field. The computational 
amount of the formula of doubling in the projective 
coordinates of the Montgomery-form elliptic curve is 
3M+2S. When the value of the I-th bit of the scalar 
value is 0, the computational amount of addition in the 

25 step 707, and the computational amount of doubling in 
the step 708 are required. That is, the computational 
amount of 6M+4S is required. When the value of the I- 
th bit of the scalar value is 1, the computational 
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amount of addition in the step 710, and the computa- 
tional amount of doubling in the step 711 are required. 
That is, the computational amount of 6M+4S is required. 
In any case, the computational amount of 6M+4S is 
5 required. The number of repetitions of the steps 704, 
705, 706, 707, 708, 709, or the steps 704, 705, 706, 
710, 711, 712 is (bit length of the scalar value d)-l. 
Therefore, in consideration of the computational amount 
of doubling in the step 702, the computational amount 

10 necessary for transform to the point on the Montgomery- 
form elliptic curve in the step 716, and the computa- 
tional amount of transform to the point on the 
Weierstrass-foxm elliptic curve in the step 715, the 
entire computational amount is {6M+4S)k+4M. Here, k is 

15 the bit length of the scalar value d. In general, 

since the computational amount S is estimated to be of 
the order of S=0 . 8 M, the entire computational amount 
is approximately (9.2k+4)M. For example, when the 
scalar value d indicates 160 bits (k=160) , the 

2 0 computational amount of algorithm of the aforementioned 
procedure is about 147 6 M. The computational amount 
per bit of the scalar value d is about 9.2 M. In A. 
Miyaji, T. Ono, H. Cohen, Efficient elliptic curve 
exponentiation using mixed coordinates. Advances in 

25 Cryptology Proceedings of ASIACRYPT' 98 , LNCS 1514 

(1998) pp. 51-65, the scalar multiplication method using 
the window method and mixed coordinates mainly includ- 
ing Jacobian coordinates in the Weierstrass-f orm 
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elliptic curve is described as the fast scalar multi- 
plication method. In this case, the computational 
amount per bit of the scalar value is estimated to be 
about 10 M. For example, when the scalar value d 
5 indicates 160 bits (k=160), the computational amount of 
the scalar multiplication method is about 1600 M. 
Therefore, the algorithm of the aforementioned 
procedure can be said to have a small computational 
amount and high speed. 
10 Additionally, instead of using the afore- 

mentioned algorithm in the fast scalar multiplication 
unit 202, another algorithm may be used as long as the 
algorithm outputs X^, Z^, X^^^, Z^.^, X^.^, Z^_^ from the 
scalar value d and the point P on the Weierstrass-f orm 
15 elliptic curve at high speed. 

The computational amount required for 
recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
IIM+S+I, and this is far small as compared with the 
20 computational amount of (9.2k+4)M necessary for fast 

scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 
25 computational amount necessary for the fast scalar 

multiplication of the fast scalar multiplication unit. 
Assuming I=40M, and S=0.8M, the computational amount 
can be estimated to be about ( 9 . 2k+55 . 8 ) M. For 
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example, when the scalar value d indicates 160 bits 
(k=160) , the computational amount necessary for the 
scalar multiplication is about 1528 M. The 
Weierstrass-f orm elliptic curve is used as the elliptic 
5 curve, the scalar multiplication method is used in 
which the window method and the mixed coordinates 
mainly including the Jacobian coordinates are used, and 
the scalar-multiplied point is outputted as the affine 
coordinates. In this case, the required computational 

10 amount is about 1640 M, and as compared with this, the 
required computational amount is reduced. 

In a seventh embodiment, a Weierstrass-f orm 
elliptic curve is used as the elliptic curve. That is, 
the elliptic curve for use in input/output of the 

15 scalar multiplication unit 103 is the Weierstrass-f orm 
elliptic curve. Additionally, as the elliptic curve 
used in internal calculation of the scalar multipli- 
cation unit 103, the Montgomery- form elliptic curve to 
which the given Weierstrass-f orm elliptic curve can be 

20 transformed may be used. The scalar multiplication 

unit 103 calculates a scalar-multiplied point {X^.Y^.Z^) 
with the complete coordinate given thereto as the point 
of the projective coordinates in the Weierstrass-f orm 
elliptic curve from the scalar value d and the point P 

25 on the Weierstrass-f orm elliptic curve. The scalar 
value d and the point P on the Weierstrass-f orm 
elliptic curve are inputted into the scalar multipli- 
cation unit 103, and received by the scalar multipli- 
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cation unit 202. The fast scalar multiplication unit 
202 calculates and in the coordinate of the 
scalar-multiplied point dP= {X^/ Y^, Z^) represented by the 
projective coordinates in the Weierstrass-f orm elliptic 
5 curve, X^+i and Z^^^ in the coordinate of the point 

(d+1 ) P= (X^+i, Yd+i, Zd+i) on the Weierstrass-f orm elliptic 
curve represented by the projective coordinates, and X^.i 
and Z^_i in the coordinate of the point (d-l)P= 
(^d-i/ Yd-i/ Z^_-l) on the Weierstrass-f orm elliptic curve 

10 represented by the projective coordinates from the 

received scalar value d and the given point P on the 
Weierstrass-f orm elliptic curve, and gives the infor- 
mation together with the inputted point P=(x,y) on the 
Weierstrass-f orm elliptic curve represented by the 

15 affine coordinates to the coordinate recovering unit 
203- The coordinate recovering unit 203 recovers 
coordinates X^, and of the scalar-multiplied point 
dP= (Xd, Yd, Z^) represented by the projective coordinates 
in the Weierstrass-f orm elliptic curve from the given 

2 0 coordinate values X^, Z^, X^+i, Z^+i, X^.i, Z^-i, x and y. 

The scalar multiplication unit 103 outputs the scalar- 
multiplied point (Xd,Yd,Zd) with the coordinate 
completely given thereto in the projective coordinates 
as the calculation result. 

25 A processing of the coordinate recovering 

unit which outputs X^, Y^, Z^ from the given coordinates 
X, y, Zd, Xd+i, Zd^.1, Xd_i, Zd_i will next be described 

with reference to FIG. 15. 



G D & ^ O O S 



104 

The coordinate recovering unit 203 inputs 
and Zd in the coordinate of the scalar-multiplied point 
dP= (X^, Yci^ Z^) represented by the projective coordinates 
in the Weierstrass-f orm elliptic curve, X^^^ and Z^+i 
5 the coordinate of the point (d+1 ) P= (X^+i, Y^j+i, Z^i+i) on the 
Weierstrass-form elliptic curve represented by the 
projective coordinates, X^.^ and Z^-i in the coordinate of 
the point (d-1 ) P= (X^-i, Y^.^, Z^, J on the Weierstrass-form 
elliptic curve represented by the projective coordi- 

10 nates, and {x,y) as representation of the point P on 
the Weierstrass-form elliptic curve in the affine 
coordinates inputted into the scalar multiplication 
unit 103, and outputs the scalar-multiplied point 
(X^fY^fZ^) with the complete coordinate given thereto in 

15 the projective coordinates in the following procedure . 
Here, the affine coordinate of the inputted point P on 
the Weierstrass-form elliptic curve is represented by 
(x,y), and the projective coordinate thereof is 
represented by (Xi,Yi,Zi). Assuming that the inputted 

20 scalar value is d, the affine coordinate of the scalar- 
multiplied point dP in the Weierstrass-form elliptic 
curve is represented by (Xd,yd), and the projective 
coordinate thereof is represented by [X^rY^rZ^), The 
affine coordinate of the point (d-l)P on the 

25 Weierstrass-form elliptic curve is represented by 
(^d-i/Yd-i)/ the projective coordinate thereof is 

represented by (X^.^, Y^^^, Z^i.i) . The affine coordinate of 
the point (d+l)P on the Weierstrass-form elliptic curve 
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is represented by (x^+i,y^+i), and the projective coordi- 
nate thereof is represented by (X^+i, Y^+i, Z^^+i) , 

In step 1501 X^-iXZ^+i is calculated, and stored 
in T^. In step 1502 Zd-iXX^+i is calculated, and stored 
5 in T2. In step 1503 T1-T2 is calculated. Here, X^-iZd+i 
is stored in the register T^, Z^^.^X^+i is stored in the 
register T2, and Xd-iZ^+i-Zd-iXd+i is therefore calculated. 
The result is stored in T^. In step 1504 Z^xx is 
calculated, and stored in the register T2 . In step 1505 

10 Xci-T2 is calculated. Here, Z^x is stored in T2, and X^- 
xZd is therefore calculated. The result is stored in 
T2. In step 1506 a square of T2 is calculated. Here, 
X^-xZ^ is stored in the register T2, and (X^-xZ^)^ is 
therefore calculated. The result is stored in T2 - In 

15 step 1507 T1XT2 is calculated. Here, ^d~i'^<i+i~'^di-i^d+i is 

stored in T^, (X^-xZ^) ^ is stored in the register T2, and 
therefore (X^-xZ^) ^ (Xd_iZd+i-Zd_iXd+i) is calculated. The 
result is stored in the register Y^. In step 1508 4xy 
is calculated. The result is stored in T2 • In step 

20 1509 T2xZd+i is calculated. Here, 4y is stored in T2, and 
4yZd+i is therefore calculated- The result is stored in 
T2. In step 1510 T2xZ^_i is calculated. Here, 4yZd+i is 
stored in T2, and 4yZ^^^Z^_^ is therefore calculated. The 
result is stored in T2 . In step 1511 T2xZd is calcu- 

25 lated. Here, ^yZ^+iZ^-i is stored in the T2, and 

4yZd+iZd-iZd is therefore calculated. The result is 
stored in T2 . In step 1512 T2xXd is calculated. Here, 
4yZd+iZd-iZd is stored in T2, and 4yZd+iZd-iZdX^ is therefore 
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calculated. The result is stored in the register X^. 
In step 1513 T2XZ^ is calculated. Here, ^Y'^d-i^d+i^d is 
stored in T2, and 4yZ^+iZ^^_-LZ(3Zd is therefore calculated. 
The result is stored in Z^- Therefore, 4yZd^.iZd_iZdZd is 
5 stored in the register Z^. In the step 1507 

(X^-xZd) ^ (Xd_iZd+i-Zd-iXd+i) is stored in the register Y^, and 
is not updated thereafter, and therefore the value is 
held. In the step 1512 4yZ^+iZd„iZdXd is stored in the 
register X^, and is not updated thereafter, and there- 

10 fore the value is held. 

A reason why all values in the projective 
coordinate {X^,Y^,Z^) of the scalar-multiplied point in 
the Weierstrass-f orm elliptic curve are recovered from 
X, y, X^, Z^, X^+i, Zd-,1, Xd.i, Z^.i given by the afore- 

15 mentioned procedure is as follows. The point (d+l)P is 
a point obtained by adding the point P to the point dP, 
and the point (d-l)P is a point obtained by subtracting 
the point P from the point dP . Assignment to addition 
formulae in the affine coordinates of the Weierstrass- 

20 form elliptic curve results in Equations 27, 28. When 
opposite sides are individually subjected to subtrac- 
tion. Equation 29 is obtained. Therefore, Equation 30 
results- Here, k^=X^/Z^, ^d^i^^^d^i/ 'Z^d-^if Xd_i=Xd_;L/ ^d-i • The 
value is assigned and thereby converted to a value of 

25 the projective coordinate. Then, Equation 31 is 
obtained- Although x^^^X^/Z^, reduction to the 
denominator common with that of y^ is performed, and 
Equation 32 is obtained. 
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The following results. 

^ {^d~\^d+\ ~ ^d-\^d+\)i^d ~^d^) 
. . . Equation 33 

Then, and may be updated by the following. 
. . - Equation 34 

"^y^d^i^d^i^d^d 

. . . Equation 35 

The updating is shown above. 

10 Here, X^^, Y^/ are given by the processing 

shown in FIG. 15. Therefore, all the values of the 
projective coordinate {X^fY^.Z^) are all recovered. 

For the aforementioned procedure, in the 
steps 1501, 1505, 1504, 1507, 1509, 1510, 1511, 1512, 

15 and 1513, the computational amount of multiplication on 
the finite field is required. 

Additionally, in the multiplication of the 
step 1508, since the value of the multiplicand is small 
as 4, the computational amount is relatively small as 

2 0 compared with the computational amount of usual multi- 
plication, and may therefore be ignored. Moreover, in 
the step 1506 the computational amount of squaring on 
the finite field is required. The computational amount 
of subtraction on the finite field is relatively small 

25 as compared with the computational amounts of 

multiplication on the finite field, and squaring, and 
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may therefore be ignored. Assuming that the computa- 
tional amount of multiplication on the finite field is 
M, and the computational amount of squaring on the 
finite field is S, the above procedure requires a 
5 computational amount of 9M+S . This is very small as 
compared with the computational amount of fast scalar 
multiplication. For example, when the scalar value d 
indicates 160 bits, the computational amount of the 
fast scalar multiplication is estimated to be a little 

10 less than about 1500 M. Assuming S=0 . 8 M, the computa- 
tional amount of coordinate recovering is 9.8 M, and 
this is very small as compared with the computational 
amount of the fast scalar multiplication. Therefore, 
it is indicated that the coordinate can efficiently be 

15 recovered. 

Additionally, even when the above procedure 
is not taken, the values of X^i, Y^, given by the above 
equation can be calculated, and the values of X^, Y^, 
can be recovered. Moreover, the values of X^, Y^, are 
20 selected so that x^, yd take the values given by the 

above equations, and the values can be calculated, then 
the X^, Yd/ Zd can be recovered. In these cases, the 
computational amount required for recovering generally 
increases . 

25 The algorithm which outputs X^, Z^, Xd+i, Z^+i, 

Xd_i, Zd-i from the scalar value d and the point P on the 
Weierstrass-f orm elliptic curve will next be described. 

As the fast scalar multiplication method of 
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the scalar multiplication unit 202 of the seventh 
embodiment, the fast scalar multiplication method of 
the sixth embodiment is used. Thereby, as the 
algorithm which outputs X^, Z^, X^+i, Z^+i, X^.^, Z^_^ from 
5 the scalar value d and the point P on the Weierstrass- 
form elliptic curve, a fast algorithm can be achieved. 
Additionally, instead of using the aforementioned 
algorithm in the scalar multiplication unit 202, any 
algorithm may be used as long as the algorithm outputs 

10 X^f Zd, Xd+i, Zd+i, ^d-ir '^di-i from the scalar value d and 
the point P on the Weierstrass-f orm elliptic curve at 
high speed. 

The computational amount required for 
recovering the coordinate of the coordinate recovering 

15 unit 203 in the scalar multiplication unit 103 is 9M+S, 
and this is far small as compared with the computa- 
tional amount of (9.2k+4)M necessary for fast scalar 
multiplication of the fast scalar multiplication unit 
202. Therefore, the computational amount necessary for 

20 the scalar multiplication of the scalar multiplication 
unit 103 is substantially equal to the computational 
amount necessary for the fast scalar multiplication of 
the fast scalar multiplication unit. Assuming that 
S=0.8 M, the computational amount can be estimated to 

25 be about ( 9 . 2k+ 13 . 8 ) M. For example, when the scalar 
value d indicates 160 bits (k=160) , the computational 
amount necessary for the scalar multiplication is about 
1486 M. The Weierstrass-f orm elliptic curve is used as 
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the elliptic curve, the scalar multiplication method is 
used in which the window method and the mixed coordi- 
nates mainly including the Jacobian coordinates are 
used, and the scalar-multiplied point is outputted as 
5 the affine coordinates. In this case, the required 
computational amount is about 1600 M, and as compared 
with this, the required computational amount is 
reduced. 

In an eighth embodiment, the Weierstrass-f orm 

10 elliptic curve is used as the elliptic curve. That is, 
the elliptic curve for use in input/output of the 
scalar multiplication unit 103 is the Weierstrass-f orm 
elliptic curve. Additionally, as the elliptic curve 
used in internal calculation of the scalar multiplica- 

15 tion unit 103, the Montgomery- form elliptic curve to 

which the given Weierstrass-f orm elliptic curve can be 
transformed may be used. The scalar multiplication 
unit 103 calculates a scalar-multiplied point (x^, y^) 
with the complete coordinate given thereto as the point 

20 of the affine coordinates in the Weierstrass-f orm 

elliptic curve from the scalar value d and the point P 
on the Weierstrass-f orm elliptic curve. The scalar 
value d and the point P on the Weierstrass-f orm 
elliptic curve are inputted into the scalar multiplica- 

25 tion unit 103, and received by the scalar multiplica- 
tion unit 202. The fast scalar multiplication unit 202 
calculates x^ in the coordinate of the scalar-multiplied 
point dP={Xd, y^) represented by the affine coordinates 
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in the Weierstrass-f orm elliptic curve, x^^^ in the 
coordinate of the point (d+1 ) P= (x^+i, Yd+i) on the 
Weierstrass-f orm elliptic curve represented by the 
affine coordinates, and x^-i in the coordinate of the 
5 point (d-1 ) P= (x^_i, y^.i) on the Weierstrass-f orm elliptic 
curve represented by the affine coordinates from the 
received scalar value d and the given point P on the 
Weierstrass-f orm elliptic curve, and gives the infor- 
mation together with the inputted point P=(x,y) on the 

10 Weierstrass-f orm elliptic curve represented by the 

affine coordinates to the coordinate recovering unit 
203. The coordinate recovering unit 203 recovers 
coordinate y^ of the scalar-multiplied point dP=(Xd/yd) 
represented by the affine coordinates in the 

15 Weierstrass-f orm elliptic curve from the given 

coordinate values x^, x^+i, x^.i, x and y. The scalar 
multiplication unit 103 outputs the scalar-multiplied 
point (Xd,y^) with the coordinate completely given 
thereto in the affine coordinates as the calculation 

20 result. 

A processing of the coordinate recovering 
unit which outputs x^. Yd from the given coordinates x, 
y, x^, ^d+i/ ^d-i will next be described with reference to 
FIG. 16. 

25 The coordinate recovering unit 203 inputs Xd 

in the coordinate of the scalar-multiplied point 

dP=^{K^,y^) represented by the affine coordinates in the 
Weierstrass-f orm elliptic curve, x^+i in the coordinate 
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of the point (d+l ) P= (x^+i, y^+i) on the Weierstrass-f orm 
elliptic curve represented by the affine coordinates, 
Xd_i in the coordinate of the point (d-1 ) P= (x^.i, Yd-i) on 
the Weierstrass-f orm elliptic curve represented by the 
5 affine coordinates, and {x,y) as representation of the 
point P on the Weierstrass-f orm elliptic curve in the 
affine coordinates inputted into the scalar multipli- 
cation unit 103, and outputs the scalar-multiplied 
point i^dfYd) with the complete coordinate given thereto 

10 in the affine coordinates in the following procedure. 

In step 1601 x^-x is calculated, and stored in 
T^. In step 1602 a square of T^, that is, (x^-x)^ is 
calculated, and stored in T^. In step 1603 x^.i-x^^i is 
calculated, and stored in T2 . In step 1604 T1XT2 is 

15 calculated- Here, (x^-x)^ is stored in Ti, x^.i-Xj+i is 
stored in T2, and therefore (x^-x) ^ (x^-i-Xd+i) is calcu- 
lated. The result is stored in . In step 1605 4xy is 
calculated, and stored in T2 . In step 1606 the inverse 
element of is calculated. Here, 4y is stored in T2, 

20 and l/4y is therefore calculated. The result is stored 
in the register T2 . In step 1607 TiXTj is calculated- 
Here, (x^-x) Mx^_i-Xd^.i) is stored in T^, l/4y is stored in 
T2, and (Xd-x) ^ (Xd_i-x^+i) /4y is therefore calculated- The 
result is stored in the register y^. Therefore, (x^- 

25 x) ^ (Xd_i-Xd+i) /4y is stored in the register y^. Since the 
register x^ is not updated, the inputted value is held. 

A reason why the y-coordinate y^ of the 
scalar-multiplied point is recovered by the afore- 
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mentioned procedure is as follows. Additionally, the 
point (d+l)P is a point obtained by adding the point P 
to the point dP, and the point (d-l)P is a point 
obtained by subtracting the point P from the point dP. 
5 Thereby, assignment to the addition formulae in the 
affine coordinates of the Weierstrass-f orm elliptic 
curve results in Equations 21, 28. When the opposite 
sides are individually subjected to subtraction. 
Equation 29 is obtained. Therefore, Equation 30 

10 results. Here, x^, yd are given by the processing of 
FIG. 16. Therefore, all the values of the affine 
coordinate {Xd,yd) are all recovered. 

For the aforementioned procedure, in the 
steps 1604, and 1607, the computational amount of 

15 multiplication on the finite field is required. 

Moreover, for the multiplication of the step 1605, 
since the value of the multiplicand is small as 4, the 
computational amount is relatively small as compared 
with the computational amount of the usual multiplica- 

20 tion, and may therefore be ignored. Moreover, in the 
step 1602, the computational amount of squaring on the 
finite field is required. Furthermore, the computa- 
tional amount of inversion on the finite field is 
required in the step 1606. The computational amount of 

25 subtraction on the finite field is relatively small as 
compared with the computational amounts of multiplica- 
tion on the finite field, squaring, and inversion, and 
may therefore be ignored. Assuming that the computa- 
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tional amount of multiplication on the finite field is 
M, the computational amount of squaring on the finite 
field is S, and the computational amount of inversion 
on the finite field is I, the above procedure requires 
5 a computational amount of 2M+S+I. This is far small as 
compared with the computational amount of the fast 
scalar multiplication. For example, when the scalar 
value d indicates 160 bits, the computational amount of 
the fast scalar multiplication is estimated to be a 

10 little less than about 1500 M. Assuming S=0.8M and 

1=4 OM, the computational amount of coordinate recover- 
ing is 42.8 M, and far small as compared with the 
computational amount of the fast scalar multiplication. 
Therefore, it is indicated that the coordinate can 

15 efficiently be recovered. 

Additionally, even when the above procedure 
is not taken, and when the value of the right side of 
the equation can be calculated, the value of y^ can be 
recovered. In this case, the computational amount 

20 required for recovering generally increases. 

An algorithm which outputs x^, x^+i, x^.i from 
the scalar value d and the point P on the Weierstrass- 
form elliptic curve will next be described with 
reference to FIG, 7. 

25 The fast scalar multiplication unit 202 

inputs the point P on the Weierstrass-f orm elliptic 
curve inputted into the scalar multiplication unit 103, 
and outputs x^ in the scalar-multiplied point dF=(x^,y^) 



represented by the affine coordinate in the 
Weierstrass-f orm elliptic curve, x^^^ in the point 
(d+1) P= (Xd+i, Yd+i) on the Weierstrass-f orm elliptic curve 
represented by the affine coordinate, and k^_-^ in the 
5 point (d-1) P= (Xd_i, yd-i) on the Weierstrass-f orm elliptic 
curve represented by the affine coordinate by the 
following procedure. In step 716, the given point P on 
the Weierstrass-f orm elliptic curve is transformed to 
the point represented by the projective coordinates on 

10 the Montgomery-form elliptic curve. This point is set 
anew as point P. In step 701, the initial value 1 is 
assigned to the variable I. A doubled point 2P of the 
point P is calculated in step 702. Here, the point P 
is represented as (x,y, 1) in the projective coordinate, 

15 and a formula of doubling in the projective coordinate 
of the Montgomery- form elliptic curve is used to 
calculate the doubled point 2P. In step 703, the point 
P on the elliptic curve inputted into the scalar 
multiplication unit 103 and the point 2P obtained in 

20 the step 702 are stored as a set of points {P,2P)- 
Here, the points P and 2P are represented by the 
projective coordinate. It is judged in step 704 
whether or not the variable I agrees with the bit 
length of the scalar value d. With agreement, m=d is 

25 satisfied and the flow goes to step 714. With 

disagreement, the flow goes to step 705. The variable 
I is increased by 1 in the step 705. It is judged in 
step 706 whether the value of the I-th bit of the 
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scalar value is 0 or 1. When the value of the bit is 
0, the flow goes to the step 707. When the value of 
the bit is 1, the flow goes to step 710. In step 707, 
addition mP+(nn-l)P of points mP and (in+l)P is performed 
5 from a set of points (mP, (m+l)P) represented by the 
projective coordinate, and the point (2m+l)P is 
calculated. Thereafter, the flow goes to step 708. 
Here, the addition mP+(m+l)P is calculated using the 
addition formula in the projective coordinate of the 

10 Montgomery- form elliptic curve. In step 708, doubling 
2 (mP) of the point mP is performed from the set of 
points (mP, (m+l)P) represented by the projective 
coordinate, and the point 2mP is calculated. There- 
after, the flow goes to step 709. Here, the doubling 

15 2 (mP) is calculated using the formula of doubling in 
the projective coordinate of the Montgomery- form 
elliptic curve. In the step 709, the point 2mP 
obtained in the step 708 and the point (2m+l)P obtained 
in the step 707 are stored as a set of points (2mP, 

20 (2m+l)P) instead of the set of points (mP, (m+l)P). 
Thereafter, the flow returns to the step 704. Here, 
the points 2mP, (2m+l)P, mP, and (m+l)P are all 
represented in the projective coordinates. In step 
710, addition mP+(m+l)P of the points mP, (m+l)P is 

25 performed from the set of points (mP, (m+l)P) 

represented by the projective coordinates, and the 
point (2m+l)P is calculated. Thereafter, the flow goes 
to step 711. Here, the addition mP+(m+l)P is calcu- 
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lated using the addition formula in the projective 
coordinates of the Montgomery- form elliptic curve. In 
the step 711, doubling 2((m+l)P) of the point {m+l)P is 
performed from the set of points (mP, (m+l)P) 
5 represented by the projective coordinates, and a point 
(2m+2)P is calculated. Thereafter, the flow goes to 
step 712. Here, the doubling 2((m+l)P) is calculated 
using the formula of doubling in the projective 
coordinates of the Montgomery-form elliptic curve. In 

10 the step 712, the point (2m+l)P obtained in the step 

710 and the point (2m+2)P obtained in the step 711 are 
stored as a set of points ({2m+l)P, (2m+2)P) instead of 
the set of points (mP, (m+l)P). Thereafter, the flow 
returns to the step 704. Here, the points (2m+l)P, 

15 (2m+2)P, mP, and (m+l)P are all represented in the 

projective coordinates. In step 714, from the set of 
points (mP, (m+l)P) represented by the projective 
coordinates, X-coordinate X^^^.i and Z-coordinate Z^^^ are 
obtained in the projective coordinates of the point (m- 

20 DP. Thereafter, the flow goes to step 715. In the 
step 715, the point (m-l)P in the Montgomery- form 
elliptic curve is transformed to the point represented 
by the affine coordinates on the Weierstrass-f orm 
elliptic curve. The x-coordinate of the point is set 

25 anew to x^.^. With respect to the set of points (mP, 
(m+l)P) represented by the projective coordinates in 
the Montgomery-form elliptic curve, the points mP and 
(m+l)P are transformed to points represented by the 
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affine coordinates on the Weierstrass-f orm elliptic 
curve. The respective points are replaced as mP= (x^,/ Vm) 
and (m+1) P= (x^+i, y^^.i) , Here, since the Y-coordinate 
cannot be obtained by the addition and doubling 
5 formulae in the projective coordinates of the 

Montgomery- form elliptic curve, y^, and y^+i are not 
obtained. Thereafter, the flow goes to step 713. In 
the step 713, x-coordinate x^.^ of the point (m-l)P 
represented by the affine coordinates on the 

10 Weierstrass-f orm elliptic curve is set to x^-i, x^ is set 
to Xd from the point mP=(Xn„y^) represented by the 
projective coordinates on the Weierstrass-f orm elliptic 
curve, and x^^+i is outputted as x^+i from the point 
(m+1) P= (x^^.1, y^+i) represented by the affine coordinates 

15 on the Weierstrass-f orm elliptic curve. In the above 
procedure, m and scalar value d are equal in the bit 
length and bit pattern, and are therefore equal. 
Moreover, when (m-l)P is obtained in step 714, it may 
be obtained by Equations 13, 14. If m is an odd 

20 number, a value of ({m-l)/2)P is separately held in the 
step 712, and (m-l)P may be obtained from the value by 
the doubling formula of the Montgomery- form elliptic 
curve . 

The computational amount of the addition 
25 formula in the projective coordinates of the 

Montgomery- form elliptic curve is 3M+2S with Zi=l . 
Here, M is the computational amount of multiplication 
on the finite field, and S is the computational amount 
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of squaring on the finite field. The computational 
amount of the doubling formula in the projective 
coordinates of the Montgomery-form elliptic curve is 
3M+2S. When the value of the I-th bit of the scalar 
5 value is 0, the computational amount of addition in the 
step 707, and the computational amount of doubling in 
the step 708 are required. That is, the computational 
amount of 6M+4S is required. When the value of the I- 
th bit of the scalar value is 1, the computational 

10 amount of addition in the step 710, and the computa- 
tional amount of doubling in the step 711 are required. 
That is, the computational amount of 6M+4S is required. 
In any case, the computational amount of 6M+4S is 
required. The number of repetitions of the steps 704, 

15 705, 706, 707, 708, 709, or the steps 704, 705, 706, 

710, 711, 712 is (bit length of the scalar value d)-l- 
Therefore, in consideration of the computational amount 
of doubling in the step 7 02, the computational amount 
necessary for transform to the point on the Montgomery- 

20 form elliptic curve in the step 716, and the computa- 
tional amount necessary for transform to the point on 
the Weierstrass-f orm elliptic curve in the step 715, 
the entire computational amount is ( 6M+4S) k+15M+I . 
Here, k is the bit length of the scalar value d. In 

25 general, since the computational amount S is estimated 
to be of the order of S=0 . 8 M, and the computational 
amount of I is estimated to be of the order of 1=40 M, 
the entire computational amount is approximately 
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{9.2k+55)M- For example, when the scalar value d 
indicates 160 bits (k=160) , the computational amount of 
algorithm of the aforementioned procedure is about 1527 
M. The computational amount per bit of the scalar 
5 value d is about 9.2 M. In A. Miyaji, T, Ono, H. 

Cohen, Efficient elliptic curve exponentiation using 
mixed coordinates. Advances in Cryptology Proceedings 
of ASIACRYPT' 98, LNCS 1514 (1998) pp. 51-65, the scalar 
multiplication method using the window method and mixed 

10 coordinates mainly including Jacobian coordinates in 

the Weierstrass-form elliptic curve is described as the 
fast scalar multiplication method. In this case, the 
computational amount per bit of the scalar value is 
estimated to be about 10 M. For example, when the 

15 scalar value d indicates 160 bits (k=160) , the 

computational amount of the scalar multiplication 
method is about 1640 M. Therefore, the algorithm of 
the aforementioned procedure can be said to have a 
small computational amount and high speed. 

20 Additionally, instead of using the afore- 

mentioned algorithm in the fast scalar multiplication 
unit 202, another algorithm may be used as long as the 
algorithm outputs x^, x^^i, x^-i from the scalar value d 
and the point P on the Weierstrass-form elliptic curve 

25 at high speed. 

The computational amount required for 
recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
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2M+S+I, and this is far small as compared with the 
computational amount of (9,2k+55)M necessary for fast 
scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
5 necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 
computational amount necessary for the fast scalar 
multiplication of the fast scalar multiplication unit. 
Assuming 1=40 M, and S=0.8 M, the computational amount 

10 can be estimated to be about ( 9 . 2k+97 . 8 ) M . For 

example, when the scalar value d indicates 160 bits 
(k=160), the computational amount necessary for the 
scalar multiplication is about 1570 M. The 
Weierstrass-f orm elliptic curve is used as the elliptic 

15 curve, the scalar multiplication method is used in 
which the window method and the mixed coordinates 
mainly including the Jacobian coordinates are used, and 
the scalar-multiplied point is outputted as the affine 
coordinates- In this case, the required computational 

2 0 amount is about 164 0 M, and as compared with this, the 
required computational amount is reduced. 

In a ninth embodiment, the Weierstrass-f orm 
elliptic curve is used as the elliptic curve for 
input/output, and the Montgomery- form elliptic curve to 

25 which the given Weierstrass-f orm elliptic curve can be 
transformed is used for the internal calculation. The 
scalar multiplication unit 103 calculates and outputs 
the scalar-multiplied point (Xd,yd) with the complete 
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coordinate given thereto as the point of the affine 
coordinates in the Weierstrass-f orm elliptic curve from 
the scalar value d and the point P on the Weierstrass- 
form elliptic curve. The scalar value d and the point 
5 P on the Weierstrass-f orm elliptic curve are inputted 
into the scalar multiplication unit 103, and received 
by the scalar multiplication unit 202. The fast scalar 
multiplication unit 202 calculates and in the 
coordinate of the scalar-multiplied point dP= (X^, Y^, Z^) 

10 represented by the projective coordinates in the 

Montgomery- form elliptic curve, and X^+i and Z^+i in the 
coordinate of the point (d+1 ) P= (X^^i, Yd+i, Z^+i) on the 
Montgomery-form elliptic curve represented by the 
projective coordinates from the received scalar value d 

15 and the given point P on the Weierstrass-f orm elliptic 
curve. Moreover, the inputted point P on the 
Weierstrass-form elliptic curve is transformed to the 
point on the Montgomery-form elliptic curve which can 
be transformed from the given Weierstrass-form elliptic 

20 curve, and the point is set anew to P=(x,y). The 

scalar multiplication unit 202 gives X^, Z^,/ X^+i^ Z^+i/ 
and y to the coordinate recovering unit 203. The 
coordinate recovering unit 203 recovers coordinate 
and y^ of the scalar-multiplied point dP=(Xd,yd) 

25 represented by the affine coordinates in the 

Weierstrass-form elliptic curve from the given coordi^ 
nate values X^, Z^, X^.i, Z^+i, x, and y. The scalar 
multiplication unit 103 outputs the scalar-multiplied 



point (Xd/Vd) with the coordinate completely given 
thereto in the affine coordinates as the calculation 
result • 

A processing of the coordinate recovering 
5 unit which outputs x^, from the given coordinates x, 
y, Z^, Xd+i, Zd+i will next be described with reference 

to FIG. 17. 

The coordinate recovering unit 203 inputs 
and in the coordinate of the scalar-multiplied point 

10 dP= (Xd, Yd/ Zd) represented by the projective coordinates 
in the Montgomery- form elliptic curve, X^+i and Z^+i in 
the coordinate of the point (d+1 ) P= (X^+i, Y^+i, Z^+i) on the 
Montgomery-form elliptic curve represented by the 
projective coordinates, and (x,y) as representation of 

15 the point P on the Montgomery-form elliptic curve in 
the affine coordinates inputted into the scalar 
multiplication unit 103, and outputs the scalar- 
multiplied point (x^^y^) with the complete coordinate 
given thereto in the affine coordinates in the follow- 

20 ing procedure. Here, the affine coordinate of the 

inputted point P on the Montgomery- form elliptic curve 
is represented by (x,y), and the projective coordinate 
thereof is represented by (X^,Y^rZ^) . Assuming that the 
inputted scalar value is d, the affine coordinate of 

25 the scalar-multiplied point dP in the Montgomery- form 
elliptic curve is represented by ( Xd''°% yd"°" ) / and the 
projective coordinate thereof is represented by 
(XdrYd,Zd). The affine coordinate of the point {d-l)P on 



the Montgomery- form elliptic curve is represented by 
(Xd.i,yd-i)f and the projective coordinate thereof is 
represented by (X^-i/ Y^-i, Z^.i) . The affine coordinate of 
the point (d+1) P on the Montgomery-form elliptic curve 
5 is represented by (x^+i^yd+i)/ and the projective coordi- 
nate thereof is represented by (Xd+i, Y^+i, Z^+i) . 

In step 1701 X^xx is calculated, and stored in 
the register T^. In step 1702 T^-Z^ is calculated. 
Here, X^x is stored in the register Ti, and X^x-Z^ is 

10 therefore calculated. The result is stored in the 
register T^. In step 1703 Z^xx is calculated, and 
stored in the register T2 . In step 1704 X^-T^ is calcu- 
lated. Here, Z^x is stored in the register T2, and X^- 
xZd is therefore calculated. The result is stored in 

15 the register T2. In step 1705 X^+iXTs is calculated. 

Here, X^-xZ^ is stored in the register T2, and X^+i (X^-xZ^) 
is therefore calculated. The result is stored in the 
register T3. In step 1706 the square of T2 is calcu- 
lated. Here, (X^-xZ^) is stored in the register T2, and 

20 (Xd-xZd)^ is therefore calculated. The result is stored 
in the register T2 . In step 1707 T2xXd+i is calculated. 
Here, (X^-xZ^) ^ is stored in the register T2, and X^^^^ (X^- 
xZd)' is therefore calculated. The result is stored in 
the register T2. In step 1708 T2xZd+i is calculated. 

25 Here, X^^-i (X^-xZ^) ^ is stored in the register T2, and 

Zd+iXd+i (Xd-xZd) ^ is therefore calculated. The result is 
stored in the register T2 . In step 1709 T2xy is 
calculated. Here, Zd^iX^+i (X^-xZ^) ^ is stored in the 
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register T2, and yZ^^iXd+i (X^-xZ^) ^ is therefore calculated. 
The result is stored in the register T2. In step 1710 
T2XB is calculated. Here, yZa+iXd^i (X^-xZ^) ^ is stored in 
the register T2, and ByZd^-iX^+i (X^-xZ^) ^ is therefore 
5 calculated. The result is stored in the register T2 . 
In step 1711 TsXZd is calculated. Here, ByZd+iX^+i (Xd-xZ^) ^ 
is stored in the register T2/ and ByZ^+iXd+i (X^-xZ^) ^Z^ is 
therefore calculated. The result is stored in the 
register T2 . In step 1712 T2xXd is calculated. Here, 

10 ByZd+iXd+i (Xd-xZd) ^Zd is stored in the register T2, and 

ByZd+iXd+i (Xd-xZd) ^ZrfXd is therefore calculated. The result 
is stored in the register T4 . In step 1713 T2xZd is 
calculated. Here, ByZ^^^X^,,! (X^-xZ^) ^Z^ is stored in the 
register T2, and ByZd+iX^+i (X^-xZ^) ^Z^ is therefore calcu- 

15 lated. The result is stored in the register T2 . In 
step 1714 the register T2XS is calculated. Here, 
ByZ^^iXd+i (X^-xZd) ^Z/ is stored in the register T2, and 
therefore sByZ^^^^X^^:^ {X^-kZ^) ^Z^^ is calculated. The result 
is stored in the register T2 . In step 1715 the inverse 

20 element of T2 is calculated. Here, sByZd+iX^+i (X^-xZ^) ^Z/ 
is stored in T2, and l/sByZa-^iXd+i (X^-xZ^) ^z/ is calcu- 
lated. The result is stored in T2 . In step 1716 TjXT^ 
is calculated. Therefore, l/sByZd^-iX^^i (X^-xZ^) ^Z^' is 
stored in the register T2, ByZd^iX^.i (X^-xZ^) ^Z^X^ is stored 

25 in the register T4, and therefore (ByZ^+iXd+i (X^-xZ^) ^Z^XJ / 
(sByZd+iXd+i (Xrf-xZd) ^Z/) is calculated. The result is 
stored in the register T4. In step 1717 T^+a is 
calculated. Here, the register T4 stores (ByZd+iXd+i (X^- 
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xZd)'ZdXJ / {sByZd^iXd^i(X^-xZd)'z/) , and Equation 36 is 
therefore calculated. 

sByZ,,,X,,,Z,{X,-xZ,yZ, 

. . . Equation 36 

5 The result is stored in the register x^- In 

step 1718 T^xZ^^i is calculated. Here, X^x-Z^ is stored 
in the register T^, and therefore Z^^^i (X^x-Z^) is 
calculated- The result is stored in the register T4 . 
In step 1719 a square of the register T^ is calculated. 

10 Here (X^x-Z^) is stored in the register Ti, and therefore 
(X^x-Z^)^ is calculated. The result is stored in the 
register Ti. In step 1720 T1XT2 is calculated. Here 
(XdX-Zd)^ is stored in the register T^, 1/sByZd+iXd+i (X^- 
xZd)^Z/ is stored in the register l!2f and therefore 

15 (X^x-Zd) VsByZ^,,X,,,{Xd-xZj'z/ is calculated. The result 
is stored in the register T2 . In step 1721 T3+T4 is 
calculated. Here X^^^lX^-xZ^) is stored in the register 
T3, Zd+i (X^x-Zd) is stored in the register T4, and 
therefore X^^^ (X^-xZ^) +Zd^i (X^x-Z^) is calculated. The 

20 result is stored in the register T^. In step 1722 T3-T4 
is calculated. Here X^^^ (X^-xZ J is stored in the 
register T3, and Z^^iCX^x-Zd) is stored in the register 
T4, and therefore X^.i (X^-xZ^) -Z^+i (X^x-Z^) is calculated. 
The result is stored in the register T3. In step 1723 

25 T1XT3 is calculated. Here X^^^ (X^-xZ^) ^Z^^i (X^x-Z J is 
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stored in the register T^, X^+i (X^-xZ^) -Z^+i (X^x-Z^) is 
stored in the register T3, and therefore {X^+i (Xd-xZ^) + 
Zd^i(XdX-Zd) } {Xd^i(Xd-xZJ -Zd^i{XdX-Zd) } is calculated. The 
result is stored in the register T^. In step 1724 T^xTs 
5 is calculated. Here {Xd+i (X^-xZ^) +Zd^i (X^x-Z^) } {X^+i (X^-xZ^) - 
Zd+i (X^x-Zd) } is stored in the register Ti, (XdX-Z^)^/ 
sByZ^+iXd+i (Xd-xZd) ^Z/ is stored in the register T2/ and 
therefore the following is calculated. 

{Z,,, (X,x - Z, ) + X,,, (X, - xZ, )}{Z^,, jX.x - Z, ) - X,,, (X, - xZ, )}(X,x -Z,f 

sByZ,^,X,^,{X,-xZ,yz] 

. . . Equation 37 



10 The result is stored in y^. Therefore, the value of 

Equation 37 is stored in the register y^. The value of 
Equation 36 is stored in the register x^,, and is not 
updated thereafter, and the value is therefore held. 
As a result, all the values of the affine coordinate 

15 (Xd,yd) in the Weierstrass-f orm elliptic curve are 
recovered . 

A reason why all values in the affine coordi- 
nate (Xd,yd) of the scalar-multiplied point in the 
Weierstrass-f orm elliptic curve are recovered from x, 
20 y, Xd, Zd, Xd+i, Zd^i given by the aforementioned procedure 
is as follows. Additionally, point (d+l)P is a point 
obtained by adding the point P to the point dP, and 
point (d-l)P is a point obtained by subtracting the 
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point P from the point dP. Assignment to addition 
formulae in the affine coordinates of the Montgomery- 
form elliptic curve results in the following equations . 

+ X + xf- + X,,, X^''" - = ^(yf - yf 

5 ... Equation 38 

+ X + x^^^ + x,_, - xf = BiyT"" + yf 
. . . Equation 3 9 

When opposite sides are individually subjected to 
subtraction, the following equation is obtained. 

1 0 (x,., - X,,, txT" - xj = ABy^-y 

. . . Equation 4 0 

Therefore, the following results. 

. . . Equation 41 

15 Here, x^'-^X./Z,, Xd.x=X,,,/Z^,,, x^_,=Xd.,/Z^_, . The value is 
assigned and thereby converted to a value of the 
projective coordinate. Then, the following equation is 
obtained. 

yT" = {X,_,Z,^, - Z,_,X,^, \X, - Z,xy IAByZ,_,Z,,,Zl 
20 ... Equation 42 

The addition formulae in the projective 
coordinate of the Montgomery-form elliptic curve are 
Equations 11, 12 described above. Here, and Z^ are 
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X-coordinate and Z-coordinate in the projective 
coordinate of the m-multiplied point mP of the point P 
on the Montgomery- form elliptic curve, and are X- 
coordinate and Z-coordinate in the projective coordi- 
5 nate of an n-multiplied point nP of the point P on the 
Montgomery- form elliptic curve, X^^^^ Z^.^ are X- 

coordinate and Z-coordinate in the projective coordi- 
nate of the (m-n) -multiplied point (m-n) P of the point 
P on the Montgomery-form elliptic curve, X^^.^ and Z^^^ 

10 X-coordinate and Z-coordinate in the projective 

coordinate of a (m+n) -multiplied point (m+n) P of the 
point P on the Montgomery- form elliptic curve, and m, n 
are positive integers satisfying m>n. In the equation, 
when xyz,=x,, X,/Z,=x„ X,.„/Z,„,=x,_, are unchanged, 

15 X„,+n/Zj^+„=x^+„ is also unchanged. Therefore, this func- 
tions well as the formula in the projective coordinate. 
On the other hand, also in Equations 13, 14, when 
X^/Z,=x,, XjZ=x,, X^_^/Z,.,=x^., are unchanged, X,,,/Z,,,=x^.„ 
is also unchanged. Moreover, since X'^,n/2'm-n=Xm-n/ 

20 is satisfied, X'^_^, Z'^.„ may be taken as the projective 
coordinate of x^.„. When m=d, n=l are set, the above 
formula is used, X^.^ and Z^^i are deleted from the 
equation of y/°% and Xi=x, Zi=l are set, the following 
equation is obtained. 

ByZ,^,X,^,{X,-xZ,yZl 
25 ... Equation 43 
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Although x/°"=Xd/Zd/ reduction to the denominator common 
with that of 7^"°" is performed for the purpose of 
reducing the frequency of inversion, and the following 
equation is obtained. 

5 ^j^.„ _ ByZ,^,X,^,Z,{X,-xZ,yX, 

ByZ,^,X,,,ZAX,-xZ,yZ, 

. . . Equation 44 

A correspondence between the point on the Montgomery- 
form elliptic curve and the point on the Weierstrass- 
form elliptic curve is described in K.Okeya, 

10 H.Kurumatani, K.Sakurai, Elliptic Curves with the 

Montgomery-form and Their Cryptographic Applications, 
Public Key Cryptography, LNCS 1751 (2000) pp. 238-257. 
Thereby, when conversion parameters are s, a, the 
relation is Ya^s'^yJ''''' and Xd=s"^Xd"°''+a. As a result, 

15 Equations 45, 46 are obtained. 

^ {z,,,(x,x-z,)-^x,,,(x, ~'xz,)}{z,^,(x,x-z,)-x,,,(x, - xz,)Yx,x- z,y 

sByZ,,,X,,,{X,^xZ,fZl 
. . . Equation 45 

X, = [ByZ,,,X,,,Z,{X,-xZjX,)l(sByZ,,,X,,,zSX, -xZjZ,)+a 

. . . Equation 4 6 



20 Here, x^, yd are given by FIG. 17. Therefore, 

all values of the affine coordinate (K^^Yd) the 
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Weierstrass-form elliptic curve are recovered- 

For the aforementioned procedure, in the 
steps 1701, 1703, 1705, 1707, 1708, 1709, 1710, 1711, 
1712, 1713, 1714, 1716, 1718, 1720, 1723, and 1724, the 
5 computational amount of multiplication on the finite 
field is required. Moreover, the computational amount 
of squaring on the finite field is required in the 
steps 1706 and 1719. Moreover, the computational 
amount of inversion on the finite field is required in 

10 the step 1715. The computational amounts of addition 
and subtraction on the finite field are relatively 
small as compared with the computational amount of 
multiplication on the finite field and the computa- 
tional amounts of squaring and inversion, and may 

15 therefore be ignored. Assuming that the computational 
amount of multiplication on the finite field is M, the 
computational amount of squaring on the finite field is 
S, and the computational amount of inversion on the 
finite field is I, the above procedure requires a 

20 computational amount of 16M+2S+I. This is very small 
as compared with the computational amount of fast 
scalar multiplication. For example, when the scalar 
value d indicates 160 bits, the computational amount of 
the fast scalar multiplication is estimated to be a 

25 little less than about 1500 M. Assuming S=0.8 M, 1=40 
M, the computational amount of coordinate recovering is 
57.6 M, and this is very small as compared with the 
computational amount of the fast scalar multiplication. 
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Therefore^ it is indicated that the coordinate can 
efficiently be recovered. 

Additionally, even when the above procedure 
is not taken, the values of x^, yd given by the above 
5 equation can be calculated, and the values of x^, yd can 
then be recovered. In this case, the computational 
amount necessary for the recovering generally 
increases. Moreover, when the value of B as the 
parameter of the Montgomery- form elliptic curve or the 

10 conversion parameter s to the Montgomery- form elliptic 
curve is set to be small, the computational amount of 
multiplication in the step 1710 or 1714 can be reduced. 

A processing of the fast scalar multiplica- 
tion unit which outputs X^, Z^, X^^^, Z^+i from the scalar 

15 value d and the point P on the Weierstrass-f orm 

elliptic curve will next be described with reference to 
FIG. 8. 

The fast scalar multiplication unit 202 
inputs the point P on the Weierstrass-f orm elliptic 

20 curve inputted into the scalar multiplication unit 103, 
and outputs X^ and in the scalar-multiplied point 
dP= (X^, Y^, Zrf) represented by the projective coordinate in 
the Montgomery- form elliptic curve, and X^+i and Z^+i in 
the point (d+1 ) P= (Xd^-i, Yd+i/ Z^+J on the Montgomery- form 

25 elliptic curve represented by the projective coordinate 
by the following procedure. In step 816, the given 
point P on the Weierstrass-f orm elliptic curve is 
transformed to the point represented by the projective 
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coordinates on the Montgomery- form elliptic curve - 
This point is set anew as point P. In step 801, the 
initial value 1 is assigned to the variable I. The 
doubled point 2P of the point P is calculated in step 
5 802. Here, the point P is represented as (x,y, 1) in 
the projective coordinate, and the doubling formula in 
the projective coordinate of the Montgomery- form 
elliptic curve is used to calculate the doubled point 
2P. In step 803, the point P on the elliptic curve 

10 inputted into the scalar multiplication unit 103 and 
the point 2P obtained in the step 802 are stored as a 
set of points (P,2P) . Here, the points P and 2P are 
represented by the projective coordinate. It is judged 
in step 8 04 whether or not the variable I agrees with 

15 the bit length of the scalar value d. With agreement, 
the flow goes to step 813. With disagreement, the flow 
goes to step 8 05. The variable I is increased by 1 in 
the step 805. It is judged in step 806 whether the 
value of the I-th bit of the scalar value is 0 or 1 . 

20 When the value of the bit is 0, the flow goes to the 
step 807. When the value of the bit is 1, the flow 
goes to step 810. In step 807, addition mP+(m+l)P of 
points mP and (m+l)P is performed from a set of points 
(mP, (m+l)P) represented by the projective coordinate, 

25 and the point (2m+l)P is calculated. Thereafter, the 

flow goes to step 808. Here, the addition mP+{m+l)P is 
calculated using the addition formula in the projective 
coordinate of the Montgomery- form elliptic curve. In 



.:.L O G S '& H- ^ O 7S Cai O .H* 



step 808, doubling 2 (mP) of the point mP is performed 
from the set of points (mP, (m+l)P) represented by the 
projective coordinate, and the point 2mP is calculated. 
Thereafter, the flow goes to step 809. Here, the 
5 doubling 2 (mP) is calculated using the formula of 
doubling in the projective coordinate of the 
Montgomery- form elliptic curve. In the step 809, the 
point 2mP obtained in the step 808 and the point 
{2m+l)P obtained in the step 807 are stored as a set of 

10 points (2mP, (2m+l)P) instead of the set of points (mP, 
(m+l)P). Thereafter, the flow returns to the step 804. 
Here, the points 2mP, (2m+l)P, mP, and {m+l)P are all 
represented in the projective coordinates. In step 
810, addition mP+(m+l)P of the points mP, (m+l)P is 

15 performed from the set of points (mP, (m+l)P) 

represented by the projective coordinates, and the 
point (2m+l)P is calculated. Thereafter, the flow goes 
to step 811. Here, the addition mP-f(m+l)P is calcu- 
lated using the addition formula in the projective 

20 coordinates of the Montgomery- form elliptic curve. In 
the step 811, doubling 2((m+l)P) of the point (m+l)P is 
performed from the set of points (mP, (m+l)P) 
represented by the projective coordinates, and a point 
(2m+2)P is calculated. Thereafter, the flow goes to 

25 step 812. Here, the doubling 2((m-f-l)P) is calculated 
using the formula of doubling in the projective 
coordinates of the Montgomery-form elliptic curve. In 
the step 812, the point (2m+l)P obtained in the step 
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810 and the point (2m+2)P obtained in the step 811 are 
stored as a set of points ((2m+l)P, (2m+2)P) instead of 
the set of points (mP^ (m+1 ) P) . Thereafter, the flow 
returns to the step 804. Here, the points (2m+l)P, 
5 (2ia+2)P, mP, and (m+l)P are all represented in the 
projective coordinates- In step 813, and are 
outputted as and in the point mP (X^,, Yj„, Z^^^) 
represented by the projective coordinates, and X^^^ and 
Zn,+i are outputted as X^+i and Z^+3^ in the point 

10 (m+1) P (X^^i, Y^+i, Z^+i) represented by the projective 
coordinates from the set of points (mP, (in+l)P) 
represented by the projective coordinates. Here, Y^^ and 
Yj^+i are not obtained, because the Y-coordinate cannot be 
obtained by the addition and doubling formulae in the 

15 projective coordinates of the Montgomery- form elliptic 
curve. In the above procedure, m and scalar value d 
are equal in the bit length and bit pattern, and are 
therefore equal . 

The computational amount of the addition 

20 formula in the projective coordinates of the 

Montgomery- form elliptic curve is 3M+2S with Zi=l . 
Here, M is the computational amount of multiplication 
on the finite field, and S is the computational amount 
of squaring on the finite field. The computational 

25 amount of the doubling formula in the projective . 

coordinates of the Montgomery- form elliptic curve is 
3M+2S. When the value of the I-th bit of the scalar 
value is 0, the computational amount of addition in the 
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step 8 07, and the computational amount of doubling in 
the step 808 are required- That is, the computational 
amount of 6M+4S is required. When the value of the I- 
th bit of the scalar value is 1, the computational 
5 amount of addition in the step 810, and the computa- 
tional amount of doubling in the step 811 are required. 
That is, the computational amount of 6M+4S is required. 
In any case, the computational amount of 6M+4S is 
required- The number of repetitions of the steps 804, 

10 805, 806, 807, 808, 809, or the steps 804, 805, 806, 

810, 811, 812 is (bit length of the scalar value d)-l- 
Therefore, in consideration of the computational amount 
of doubling in the step 8 02, and the computational 
amount necessary for transform to the point on the 

15 Montgomery- form elliptic curve in the step 816, the 
entire computational amount is (6M+4S) (k-l)+4M+2S. 
Here, k is the bit length of the scalar value d. In 
general, since the computational amount S is estimated 
to be of the order of S=0.8 M, the entire computational 

20 amount is approximately (9,2k-3.6)M. For example, when 
the scalar value d indicates 160 bits (k=160) , the 
computational amount of algorithm of the aforementioned 
procedure is about 14 68 M. The computational amount 
per bit of the scalar value d is about 9.2 M. In A. 

25 Miyaji, T. Ono, H. Cohen, Efficient elliptic curve 
exponentiation using mixed coordinates. Advances in 
Cryptology Proceedings of ASIACRYPT' 98 , LNCS 1514 
(1998) pp. 51-65, the scalar multiplication method using 
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the window method and mixed coordinates mainly includ- 
ing Jacobian coordinates in the Weierstrass-f orm 
elliptic curve is described as the fast scalar multi- 
plication method. In this case, the computational 
5 amount per bit of the scalar value is estimated to be 
about 10 M. For example, when the scalar value d 
indicates 160 bits (k==160), the computational amount of 
the scalar multiplication method is about 1600 M. 
Therefore, the algorithm of the aforementioned 

10 procedure can be said to have a small computational 
amount and high speed. 

Additionally, instead of using the afore- 
mentioned algorithm in the fast scalar multiplication 
unit 202, another algorithm may be used as long as the 

15 algorithm outputs X^, Z^, X^+i, Z^+i from the scalar value 
d and the point P on the Weierstrass-f orm elliptic 
curve at high speed. 

The computational amount required for 
recovering the coordinate of the coordinate recovering 

20 unit 203 in the scalar multiplication unit 103 is 

16M+2S+I, and this is far small as compared with the 
computational amount of (9.2k-3.6)M necessary for fast 
scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 

25 necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 
computational amount necessary for the fast scalar 
multiplication of the fast scalar multiplication unit. 
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Assuming 1=40 M, and S=0 . 8 M, the computational amount 
can be estimated to be about (9.2k:+54)M. For example, 
when the scalar value d indicates 160 bits {k=160) , the 
computational amount necessary for the scalar multipli-- 
5 cation is about 1526 M. The Weierstrass-f orm elliptic 
curve is used as the elliptic curve, the scalar 
multiplication method is used in which the window 
method and the mixed coordinates mainly including the 
Jacobian coordinates are used, and the scalar- 

10 multiplied point is outputted as the affine coordi- 
nates. In this case, the required computational amount 
is about 1640 M, and as compared with this, the 
required computational amount is reduced. 

In a tenth embodiment, the Weierstrass-f orm 

15 elliptic curve is used as the elliptic curve for 

input/output, and the Montgomery- form elliptic curve 
which can be transformed from the given Weierstrass- 
form elliptic curve is used for the internal calcula- 
tion. The scalar multiplication unit 103 calculates 

20 and outputs the scalar-multiplied point (Xd'',Y/, Z/) with 
the complete coordinate given thereto as the point of 
the projective coordinates in the Weierstrass-f orm 
elliptic curve from the scalar value d and the point P 
on the Weierstrass-f orm elliptic curve. The scalar 

25 value d and the point P on the Weierstrass-f orm 

elliptic curve are inputted into the scalar multipli- 
cation unit 103, and received by the scalar multipli- 
cation unit 202. The fast scalar multiplication unit 
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202 calculates and in the coordinate of the 
scalar-multiplied point dP= (X^, Y^, Z^) represented by the 
projective coordinates in the Montgomery- form elliptic 
curve, and X^^^ and Z^+i in the coordinate of the point 
5 (d+1 ) P= (Xd+i/ Y^+i, Zd+i) on the Montgomery- form elliptic 
curve represented by the projective coordinates from 
the received scalar value d and the given point P on 
the Weierstrass-f orm elliptic curve. Moreover, the 
inputted point P on the Weierstrass-f orm elliptic curve 

10 is transformed to the point on the Montgomery- form 

elliptic curve which can be transformed from the given 
Weierstrass-f orm elliptic curve, and the point is set 
anew to P=(x,y) . The scalar multiplication unit 202 
gives X^, Z^/ X^+if Z^+i/ x, and y to the coordinate 

15 recovering unit 203. The coordinate recovering unit 
2 03 recovers coordinate X/, Y^"^, Z/ of the scalar- 
multiplied point dP= (X/, Yd"", Z^"") represented by the 
projective coordinates in the Weierstrass-f orm elliptic 
curve from the given coordinate values X^/ Z^/ X^+i, ^a+if 

20 X, and y. The scalar multiplication unit 103 outputs 
the scalar-multiplied point (Xd"", Yd"", Z/) with the 
coordinate completely given thereto in the projective 
coordinates as the calculation result. 

A processing of the coordinate recovering 

2 5 unit which outputs X^^, Y/, Z^"" from the given coordi- 
nates X, y, X^, Z^, X^^i, Z^+i will next be described with 
reference to FIG, 18, 

The coordinate recovering unit 2 03 inputs X^ 
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and in the coordinate of the scalar-multiplied point 
dP= (Xd, Yd, Zd) represented by the projective coordinates 
in the Montgomery- form elliptic curve, X^+i and Z^+i in 
the coordinate of the point (d+1 ) P= (Xd+i, Y^+i, Z^+J on the 
5 Montgomery-form elliptic curve represented by the 

projective coordinates, and (x,y) as representation of 
the point P on the Montgomery- form elliptic curve 
inputted into the scalar multiplication unit 103 in the 
affine coordinates, and outputs the scalar-multiplied 

10 point (X/, Yd"^, Zd"") with the complete coordinate given 
thereto in the projective coordinates on the 
Weierstrass-f orm elliptic curve in the following 
procedure. Here, the affine coordinate of the inputted 
point P on the Montgomery-form elliptic curve is 

15 represented by (x,y), and the projective coordinate 

thereof is represented by (X^,Y^,Z^) . Assuming that the 
inputted scalar value is d, the affine coordinate of 
the scalar-multiplied point dP in the Montgomery-form 
elliptic curve is represented by (x^^yd)/ and the 

20 projective coordinate thereof is represented by 

(Xd/Yd,Zd). The affine coordinate of the point {d-l)P on 
the Montgomery-form elliptic curve is represented by 
(^d-i/Yd-i)/ dind. the projective coordinate thereof is 
represented by (Xd_i, Yd_i, Zd-i) - The affine coordinate of 

25 the point (d+l)P on the Montgomery- form elliptic curve 
is represented by {Xd+i,yd+i)/ and the projective coordi- 
nate thereof is represented by (Xd+i, Yd+i, Zd+i) . 

In step 1801 XdXx is calculated, and stored in 



:i G O '^-S-'^s e H" ^ f,J %^ 3 O ^ 



141 

the register Ti. In step 1802 T^-Z^ is calculated. 
Here, X^x is stored in the register T^, and X^x-Z^ is 
therefore calculated. The result is stored in the 
register T^. In step 1803 Z^xx is calculated, and 
5 stored in the register T2 . In step 1804 Xd-T2 is 

calculated. Here, Z^x is stored in the register T2, and 
Xd-xZd is therefore calculated. The result is stored in 
the register T2. In step 1805 Z^+iXTi is calculated. 
Here, X^x-Z^ is stored in the register T^, and Z^+i (X^x-Z^) 

10 is therefore calculated. The result is stored in the 
register T3. In step 1806 X^+iXTg is calculated. Here, 
X^-xZd is stored in the register T2 . Therefore, X^+i (X^- 
xZd) is calculated. The result is stored in the 
register T4 . In step 1807 a square of Ti is calculated. 

15 Here, X^^x-Zd is registered in the register T^, and 

therefore (X^x-Z^)^ is calculated. The result is stored 
in the register T^. In step 1808 a square of T2 is 
calculated. Here, X^-xZ^ is stored in the register T2, 
and (Xd-xZd)^ is therefore calculated- The result is 

20 stored in the register T2. In step 1809 T2xZci is 

calculated. Here, (X^-xZ^)^ is stored in the register 
T2. Therefore, Zd(X^-xZ^)^ is calculated. The result is 
stored in the register T2 . In step 1810 T2xX^^^ is 
calculated. Here, Z^CX^-xZ^)^ is stored in the register 

25 T2, and X^^^Z^(X^-kZ^) ^ is therefore calculated. The 

result is stored in the register T2 . In step 1811 TjXZ^^] 
is calculated. Here, X^^^Z^{X^-xZ^)^ is stored in the 
register T2, and therefore Z^^^X^^^Z^iX^-y^Z^)^ is calcu- 
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lated. The result is stored in the register T2 . In 
step 1812 T2xy is calculated. Here, Zd+iXd+iZ^ (X^-xZd) ^ is 
stored in the register and yZd+iXc+iZc (X^-xZ^) ^ is 

therefore calculated. The result is stored in the 
5 register T2- In step 1813 T2XB is calculated. Here, 
y2d+iXd+iZd (Xd^xZd) ^ is stored in the register T2/ and 
ByZ^i+iXd+iZd (X^-xZ^) ^ is therefore calculated. The result 
is stored in the register T2 . In step 1814 T2xXd is 
calculated. Here, ByZ^i+iXd+iZ^ (X^-xZ^) ^ is stored in the 

10 register T2. Therefore, ByZ^+iXdH-iZd (X^-xZ^) ^X^ is calcu- 
lated. The result is stored in a register T^. In step 
1815 T2xZd is calculated. Here, ByZd+iX^+iZd (X^-xZ^) ^ is 
stored in the register T2, and ByZ^+iXd+iZd (X^-xZ^) ^Z^ is 
therefore calculated. The result is stored in the 

15 register T2. In step 1816 TjXs is calculated. Here, 
ByZd+iXd+iZd (Xd-xZd) ^Zd is stored in the register T2, and 
therefore sByZ^+iX^+iZd (X^-xZ^) ^Z^ is calculated. The 
result is stored in Z^^ . In step 1817 axZ/ is 
calculated. Here, sByZ^+iX^+iZ^ (X^-xZ^) ^Z^ is stored in Z^"- 

20 Therefore, asByZd+iX^+iZd (X^-xZ^) ^Z^ is calculated. The 

result' is stored in the register T2 . In step 1818, T2+T5 
is calculated. Here, asByZd+iXd+iZ^ (X^-xZ^) ^Z.^ is stored in 
the register T2, and ByZ^+iXd+iZ^ (X^-xZ^) ^X^^ is stored in 
the register T5. Therefore, asByZ^+iX^+iZd (X^-xZ^) ^Zd+ 

25 ByZd+iXd+iZd (Xj-xZ^) ^Xd is calculated. The result is stored 
in X/. In step 1819 T3+T4 is calculated. Here Z^^^ (X^x- 
Z^) is stored in the register T3, X^+i (X^-xZ^^) is stored 
in the register T^, and therefore Z^+i (X^x-Z^) +Xd+i (X^-xZ^) 
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is calculated. The result is stored in the register T2 - 
In step 1820 T3-T4 is calculated. Here Z^^^^ {X^^-Z^) is 
stored in the register T3, and X^+i (X^-xZ^) is stored in 
the register T4, and therefore Z^+i (X^x-Z^) -x^+i (Xd-xZ^) is 
5 calculated. The result is stored in the register T3. 
In step 1821 T1XT2 is calculated. Here (X^x-Z^)^ is 
stored in the register T^, and Z^+i (X^x-Z^) +Xd+i (X^-xZ^) is 
stored in the register T2. Therefore, { Z^+i (X^^x-Z^) + 
^d+i (^d"^^;^) } (X^x-Zd) ^ is calculated. The result is stored 

10 in the register T^. In step 1822 T1XT3 is calculated. 
Here, { Z^^.^ (X^x-Z^) +Xd+i (X^-xZ^) } (X^x-Z^) ' is stored in the 
register T^, and Z^+i (X^x-Z^) -x^+i (X^-xZ^) is stored in the 
register T3, and therefore { Z^^^ (X^x-Z^) +Xd+i (X^- 
xZJ } {Z^^, (X^x-Zd) ~-Xd^.i{Xd-xZJ } (XdX-Z^)" is calculated. The 

15 result is stored in the register Y/. Therefore, 
stores { Z^^, (X^x-Z J +X^,, (X^-xZ J } { Z^^, (X^x-Z^) -X^.i (X^- 
xZJ } (X^x-ZJ^ In the step 1818 ByZ^^iX^^iZ^ (X^-xZ^) X+ 
asByZ^+^Xd^iZd (X^-xZ^) ^Zd is stored in X^"", and is not 
updated thereafter, and the value is therefore held, 

20 In the step 1816 sByZd+iXd+iZd (X^-xZ^) ^Z^ is stored in Z^^, 
and is not updated thereafter, and the value is 
therefore held. As a result, all the values of the 
projective coordinate (Xd"", Y^"", Z^"") in the Weierstrass- 
form elliptic curve are recovered. 

25 A reason why all values in the projective 

coordinate (Xd"^, Y^"^, Z^"") of the scalar-multiplied point in 
the Weierstrass-f orm elliptic curve are recovered from 
X, y, Xd, Z^, X^+i, Zd+i given by the aforementioned 




procedure is as follows. Additionally, point (d+l)P is 
a point obtained by adding the point P to the point dP, 
and point (d-l)P is a point obtained by subtracting the 
point P from the point dP . Assignment to addition 
5 formulae in the affine coordinates of the Montgomery- 
form elliptic curve results in Equations 6, 7. When 
opposite sides of Equation 6, 7 are individually 
subjected to subtraction, Equation 8 is obtained. 
Therefore, Equation 9 results. Here, K^=X^/Z^f 

10 Xd+i=Xd+i/Zd+i, Xd_i=Xd_i/Zd_i. The value is assigned and 
thereby converted to a value of the projective 
coordinate. Then, Equation 10 is obtained. The 
addition formulae in the projective coordinate of the 
Montgomery- form elliptic curve are Equations 11, 12. 

15 Here, and Z^^ are X-coordinate and Z-coordinate in the 
projective coordinate of the m-multiplied point mP of 
the point P on the Montgomery- form elliptic curve, X^^ 
and Zj, are X-coordinate and Z-coordinate in the projec- 
tive coordinate of an n-multiplied point nP of the 

20 point P on the Montgomery- form elliptic curve, X^.^, and 
Z^_^ are X-coordinate and Z-coordinate in the projective 
coordinate of the (m-n) -multiplied point (m-n) P of the 
point P on the Montgomery- form elliptic curve, X^+„ and 
Zj^+n are X-coordinate and Z-coordinate in the projective 

25 coordinate of a (m+n) -multiplied point (m-fn)P of the 

point P on the Montgomery- form elliptic curve, and m, n 
are positive integers satisfying m>n. In the equation, 
when XJZ^=K^, xyz„=x,, X^_„/Z^.„=x^,^ are unchanged. 
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Xm+n/2m+n=^m+n also Unchanged, Therefore, this 
functions well as the formula in the projective 
coordinate. On the other hand, also in Equations 13, 
14, when X,/Z,-x^, X^Z.-x,, X^_y Z^_„=x^_^ are unchanged, 
5 Xj^+n/2im+n=^m+n also Unchanged. Moreover, since 

X'n.-n/Z'm-n=Xr.-n/Zn,-n-x^-n IS Satisfied, X',,^, Z\^, Hiay be 
taken as the projective coordinate of x^.^. When m=d, 
n=l are set, the above formula is used, X^-i and Z^.i are 
deleted from the equation of y^, and Xi=x, Z^^l are set, 
10 Equation 15 is obtained. Although k^-X^/Z^, reduction to 
the denominator common with that of is performed, and 
Equation 16 is obtained. As a result, the following 
equation is obtained. 

Y, = {z,,,{x,x -z,)+ X,,, {X, - xz,)}{z,,.(jr,x - z,) - x,^,{x, - xz,)}{x,x - z,y 

15 ... Equation 47 

The following equations also result. 

X, = ByZ,,,X,,,Z,{X, -xZ.fX, 
. . . Equation 48 

20 ... Equation 49 

Then, (X' Y' Z' ^) = {X^, Y^, Z^) . The correspondence 
between the point on the Montgomery-form elliptic curve 
and the point on the Weierstrass-f orm elliptic curve is 
described in K.Okeya, H.Kurumatani, K.Sakurai, Elliptic 
25 Curves with the Montgomery- Form and Their Cryptographic 
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Applications, Public Key Cryptography, LNCS 1751 (2000) 
pp. 238-257. Thereby, when the conversion parameter is 
sa, the relation is Yd"=Y'd, Xd''=X' d+aZd"", and Z/=sZ'd. As 
a result, the following equations are obtained. 

. . . Equation 50 

XJ =ByZ,,,X,^,Z,{X,-xZjX, +aZj 
• . . Equation 51 

ZJ = sByZ,,,X,,,ZAX, -xZjZ, 
10 ... Equation 52 

The values may be updated as described above. Here, 
y^^f ^di'f are given by the processing of FIG. 18. 

Therefore, all values of the projective coordinate 
(X^"", Y^"", Z^"^) in the Weierstrass-f orm elliptic curve are 
15 recovered. 

For the aforementioned procedure, in the 
steps 1801, 1803, 1805, 1806, 1809, 1810, 1811, 1812, 
1813, 1814, 1815, 1816, 1817, 1821, and 1822, the 
computational amount of multiplication on the finite 

20 field is required. Moreover, the computational amount 
of squaring on the finite field is required in the 
steps 1807 and 1808. The computational amounts of 
addition and subtraction on the finite field are 
relatively small as compared with the computational 

25 amount of multiplication on the finite field and the 
computational amount of squaring, and may therefore be 
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ignored- Assuming that the computational amount of 
multiplication on the finite field is M, and the 
computational amount of squaring on the finite field is 
S, the above procedure requires a computational amount 
5 of 15M+2S. This is far small as compared with the 

computational amount of the fast scalar multiplication. 
For example, when the scalar value d indicates 160 
bits, the computational amount of the fast scalar 
multiplication is estimated to be a little less than 

10 about 1500 M. Assuming S=0.8 M, the computational 
amount of coordinate recovering is 16.6 M, and far 
small as compared with the computational amount of the 
fast scalar multiplication- Therefore, it is indicated 
that the coordinate can efficiently be recovered. 

15 Additionally, even when the above procedure 

is not taken, the values of X^^, Y^^ given by the 

above equation can be calculated, and the values of X/, 
^d^f '^d can then be recovered. Moreover, when the 
scalar-multiplied point dP in the affine coordinates in 

20 the Weierstrass-f orm elliptic curve is dp= (x/, y/) , the 
values of X^"", Y^, are selected so that x^"", y^"" take 

the values given by the aforementioned equations, the 
values can be calculated, and then X/, Y^, Z/ can be 
recovered. In this case, the computational amount 

25 required for recovering generally increases- Further- 
more, when the values of B as the parameter of the 
Montgomery-form elliptic curve and the conversion 
parameter s to the Montgomery- form elliptic curve are 
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set to be small, the computational amount of multipli- 
cation in the step 1813 or 1816 can be reduced. 

An algorithm which outputs X^, Z^, X^+i/ Z^+i 
from the scalar value d and the point P on the 
5 Weierstrass-f orm elliptic curve will next be described. 

As the fast scalar multiplication method of 
the scalar multiplication unit 202 of the tenth embodi- 
ment, the fast scalar multiplication method of the 
ninth embodiment is used. Thereby, as the algorithm 

10 which outputs X^, Z^, X^+i/ Z^+i from the scalar value d 

and the point P on the Weierstrass-f orm elliptic curve, 
a fast algorithm can be achieved. Additionally, 
instead of using the aforementioned algorithm in the 
scalar multiplication unit 202, any algorithm may be 

15 used as long as the algorithm outputs X^/ Z^, X^+i, Z^+i 
from the scalar value d and the point P on the 
Weierstrass-f orm elliptic curve at high speed. 

The computational amount required for 
recovering the coordinate of the coordinate recovering 

20 unit 203 in the scalar multiplication unit 103 is 
15M+2S, and this is far small as compared with the 
computational amount of (9.2k-3.6)M necessary for fast 
scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 

25 necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 
computational amount necessary for the fast scalar 
multiplication of the fast scalar multiplication unit. 



-J. Q O ^4- ^3 ml & *h5" ^ tJ ^3 3 O O S 



Assuming that S=0.8 the computational amount can be 
estimated to be about (9.2k+13)M. For example, when 
the scalar value d indicates 160 bits (k=160) , the 
computational amount necessary for the scalar multipli- 
5 cation is about 1485 M. The Weierstrass-f orm elliptic 
curve is used as the elliptic curve, the scalar 
multiplication method is used in which the window 
method and the mixed coordinates mainly including the 
Jacobian coordinates are used, and the scalar- 

10 multiplied point is outputted as the Jacobian coordi- 
nates. In this case, the required computational amount 
is about 1600 M, and as compared with this, the 
required computational amount is reduced. 

In an eleventh embodiment, the Weierstrass- 

15 form elliptic curve is used as the elliptic curve for 
input/output, and the Montgomery- form elliptic curve 
which can be transformed from the given Weierstrass- 
form elliptic curve is used for the internal calcula- 
tion. The scalar multiplication unit 103 calculates 

20 and outputs the scalar-multiplied point {^^fY^) with the 
complete coordinate given thereto as the point of the 
affine coordinates in the Weierstrass-f orm elliptic 
curve from the scalar value d and the point P on the 
Weierstrass-f orm elliptic curve. The scalar value d 

25 and the point P on the Weierstrass-f orm elliptic curve 
are inputted into the scalar multiplication unit 103, 
and received by the scalar multiplication unit 202. 
The fast scalar multiplication unit 202 calculates 
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and Zd in the coordinate of the scalar-multiplied point 
dP= (Xd/ Yd, Zd) represented by the projective coordinates 
in the Montgomery- form elliptic curve, X^+i and Z^+i in 
the coordinate of the point (d+1) P= (X^^i, Y^^^, Z^^i) on the 
5 Montgomery- form elliptic curve represented by the 

projective coordinates, and X^-i and Z^_^ in the coordi- 
nate of the point (d-1 ) P= (Xd_i, Y^.i, Z^.^) on the 
Montgomery- form elliptic curve represented by the 
projective coordinates from the received scalar value d 

10 and the given point P on the Weierstrass-f orm elliptic 
curve. Moreover, the inputted point P on the 
Weierstrass-form elliptic curve is transformed to the 
point on the Montgomery-form elliptic curve which can 
be transformed from the given Weierstrass-form elliptic 

15 curve, and the point is set anew to P=(x,y). The 

scalar multiplication unit 202 gives X^, Z^, X^+i, Z^+i, 
^d-if "^d-if and y to the coordinate recovering unit 
203. The coordinate recovering unit 203 recovers 
coordinates x^, y^ of the scalar-multiplied point 

20 dP=(Xd,yd) represented by the affine coordinates in the 
Weierstrass-form elliptic curve from the given coordi- 
nate values X^, Z^, X^+i, Z^^^, X^.^, Z^_^, x, and y. The 
scalar multiplication unit 103 outputs the scalar- 
multiplied point (Xd,yd) with the coordinate completely 

25 given thereto in the affine coordinates on the 

Weierstrass-form elliptic curve as the calculation 
result . 

A processing of the coordinate recovering 



unit which outputs x^. Yd from the given coordinates x, 
y, X^r Zd, Xd+i, Zd+i, Xd_i, Zrf.i will next be described with 
reference to FIG. 19. 

The coordinate recovering unit 2 03 inputs 
5 and in the coordinate of the scalar-multiplied point 
dP= (Xj^, Z^) represented by the projective coordinates 
in the Montgomery- form elliptic curve, X^+^ and Z^+i in 
the coordinate of the point (d+1 ) P= (X^+i, Y^^;^, Z^+J on the 
Montgomery-form elliptic curve represented by the 

10 projective coordinates, X^-i and Z^-i in the coordinate of 
the point (d-1 ) P= (X^^i, Y^.i, Z^.i) on the Montgomery- form 
elliptic curve represented by the projective coordi- 
nates, and (x,y) as representation of the point P on 
the Montgomery-form elliptic curve in the affine 

15 coordinates inputted into the scalar multiplication 
unit 103, and outputs the scalar-multiplied point 
(^d^Vd) with the complete coordinate given thereto in 
the affine coordinates on the Weierstrass-f orm elliptic 
curve in the following procedure. Here, the affine 

20 coordinate of the inputted point P on the Montgomery- 
form elliptic curve is represented by (x,y), and the 
projective coordinate thereof is represented by 
(Xi,Y3^,ZJ. Assuming that the inputted scalar value is 
d, the affine coordinate of the scalar-multiplied point 

25 dP in the Montgomery- form elliptic curve is represented 
by (Xd^°", y/°'') , and the projective coordinate thereof is 
represented by {X^,Y^,Z^), The affine coordinate of the 
point (d-l)P on the Montgomery- form elliptic curve is 
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represented by (x^-i/ Ya-i) / and the projective coordinate 
thereof is represented by (X^.i, Y^.i/ Z^.J . The affine 
coordinate of the point (d+l)P on the Montgomery-form 

elliptic curve is represented by {Xd+i,yd+i)/ and the 
5 projective coordinate thereof is represented by 

In step 1901 X^.iXZd+i is calculated, and stored 
in the register . In step 1902 Z^,^xX^^^ is calculated, 
and stored in the register T2 - In step 1903 T1-T2 is 

10 calculated. Here, Xd-iZ^+i is stored in the register 

and Z^_iXd+i is stored in the register Tg, and Xd_iZd+i-Zd_ 
iXd+i is therefore calculated. The result is stored in 
the register . In step 1904 Z^xx is calculated and 
stored in the register T2 - In step 1905 Xd-T2 is 

15 calculated. Here, Z^x is stored in the register Tg. 

Therefore, X^-xZ^ is calculated. The result is stored 
in the register T2 . In step 1906 a square of T2 is 
calculated. Here, X^-xZ^ is stored in the register T2 . 
Therefore, (X^-xZ^) ^ is calculated. The result is stored 

20 in the register T2 . In step 1907 T1XT2 is calculated. 
Here, Xd-iZd+i-Z^.^X^+i is registered in the register T^, 
(X^-xZ^)^ is stored in the register Tg, and therefore 
(X^-xZd) ^ (Xd_iZd+i-Zd-iXd^.i) is calculated. The result is 
stored in the register T^. In step 1908 4Bxy is 

25 calculated. The result is stored in the register T2. 

In step 1909 T2xZd+i is calculated. Here, 4By is stored 
in the register T2, and 4ByZd+i is calculated. The 
result is stored in the register T2 . In step 1910 TsxZ^.i 



is calculated- Here, 4ByZd+i is stored in the register 
T2, and 4ByZd,iZd+i is therefore calculated. The result 
is stored in the register T^. In step 1911 T^xZ^ is 
calculated. Here, 4BYZd_iZd_,i is stored in the register 
5 T2. Therefore, 4ByZd_iZd+iZd is calculated. The result is 
stored in the register Tj. In step 1912 TsXX^ is 
calculated. Here, 4ByZd_iZd+iZd is stored in the register 
T2, and 4ByZd_iZd^iZdXd is therefore calculated. The 
result is stored in the register T3 . In step 1913 T2xZd 

10 is calculated. Here, 4ByZd.iZd+iZd is stored in the 

register T2, and 4ByZd,iZd^.iZdZd is therefore calculated. 
The result is stored in the register T2 . In step 1914 
T2XS is calculated. Here, 4ByZ^_iZd_,iZdZd is stored in the 
register T2 . Therefore, 4sByZd_iZd+iZ^Zd is calculated. 

15 The result is stored in the register T2 . In step 1915 
an inverse element of T2 is calculated. Here, 
4sByZd-iZd+iZdZd is stored in the register T2, and 
l/4sByZd.iZd^-iZdZ^ is therefore calculated. The result is 
stored in the register T2. In step 1916 T2XT3 is 

20 calculated. Here, l/4sByZd_iZd^.iZdZd is stored in the 
register T2, 4ByZd.iZd+iZdXd is in the register T3, and 
therefore ( 4ByZd_-,Zd^iZ^XJ / ( 4sByZ^_-,Zd+,ZdZ J is calculated. 
The result is stored in T3. In step 1917 T3-f-a is 
calculated. Here, i^ByZ^.^Z^^^Z^X^} / ( 4sByZd_iZ^,iZ^Z J is 

25 stored in the register T3- Therefore, (4ByZd_iZd+iZdXd) / 
(4sByZd_iZd^.i2^dZd) +a is calculated. The result is stored 
in the register x^. In step 1918 the register T1XT2 is 
calculated. Here (X^-y^Z^)^ (X^.^Z^^^-Z^.^X^^^) is stored in 
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the register T^, 1/ ^sByZ^.^Z^^^Z^Z^ is stored in the 
register H^, and therefore (X^.^Z^^^-Z^^^X^^^) (Xd-ZdX)V 
4sByZd_iZd^.iZ/ is calculated. The result is stored in the 
register y^. Therefore, the register stores (Xd-iZ^+i- 
5 Z^.iXd^J (Xd-Z^x) V4sByZd.iZd^iZ/. In the step 1917 

(4ByZd_iZd^,Z^XJ / (4sByZd-iZd^iZdZJ+a is stored in the 
register x^, and is not updated thereafter, and the 
value is therefore held. 

A reason why all the values in the affine 

10 coordinate (x^, y^) of the scalar-multiplied point in the 
Weierstrass-f orm elliptic curve are recovered from x, 
y, Xd/ Zd, Xd+i, Zd+i, Xd_i, Zd_i given by the aforementioned 
procedure is as follows. Additionally, point (d+l)P is 
a point obtained by adding the point P to the point dP, 

15 and point (d-l)P is a point obtained by subtracting the 
point P from the point dP. Assignment to the addition 
formulae in the affine coordinates of the Montgomery- 
form elliptic curve results in Equations 38, 39. When 
opposite sides are individually subjected to subtrac- 

20 tion. Equation 40 is obtained. Therefore, Equation 41 
results. Here, ^^""""-^^XjZ^, x^^i^Xd^i/Z^^,, x^.i^X^-i/Z^.i . The 
value is assigned and thereby converted to the value of 
the projective coordinate. Then, Equation 42 is 
obtained. Although x/°"=Xd/Zd, the reduction to the 

25 denominator common with that of y^""" is performed for 

the purpose of reducing the frequency of inversion, and 
Equation 53 is obtained. 
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xr = (4ByZ,^,Z,_,Z,XM4ByZ,^,Z,_,Z,Z,) 
. . . Equation 53 

The correspondence between the point on the Montgomery- 
form elliptic curve and the point on the Weierstrass- 
5 form elliptic curve is described in K.Okeya, 

H^Kurumatani, K.Sakurai, Elliptic Curves with the 
Montgomery- form and Their Cryptographic Applications, 
Public Key Cryptography, LNCS 1751 (2000) pp. 238-257. 
Thereby, when the conversion parameters are s, a, the 
10 relation is yd^s'^^''^" and Xd=s"^x/°"+a- As a result, the 
following equations are obtained. 



=(^.-.2,,, -Z,_,X,^JX,-Z,xy/4sByZ,_,Z,,,Z', 
. . . Equation 54 
X, = {4ByZ,^,Z,_,Z,X,)/{4sByZ,,,Z,_,Z,Z,) + a 
15 ... Equation 55 

Here, x^, y^ are given by FIG, 19. Therefore, 
all values of the affine coordinate {y.^,Y^) of the 
scalar-multiplied point in the Weierstrass-f orm 
elliptic curve are recovered. 

20 For the aforementioned procedure, in the 

steps 1901, 1902, 1904, 1907, 1908, 1909, 1910, 1911, 
1912, 1913, 1914, 1916, and 1818, the computational 
amount of multiplication on the finite field is 
required. Moreover, the computational amount of 

25 squaring on the finite field is required in the step 
1906. Moreover, in the step 1914 the computational 



156 

amount of the inversion on the finite field is 
required. The computational amounts of addition and 
subtraction on the finite field are relatively small as 
compared with the computational amount of multiplica- 
5 tion on the finite field and the computational amounts 
of squaring and inversion, and may therefore be 
ignored. Assuming that the computational amount of 
multiplication on the finite field is M, the computa- 
tional amount of squaring on the finite field is S, and 

10 the computational amount of inversion on the finite 
field is I, the above procedure requires a computa- 
tional amount of 13M+S+I. This is far small as 
compared with the computational amount of the fast 
scalar multiplication. For example, when the scalar 

15 value d indicates 160 bits, the computational amount of 
the fast scalar multiplication is estimated to be a 
little less than about 1500 M. Assuming S=0.8 M, 1=40 
M, the computational amount of coordinate recovering is 
53.8 M, and far small as compared with the computa- 

20 tional amount of the fast scalar multiplication. 

Therefore, it is indicated that the coordinate can 
efficiently be recovered. 

Additionally, even when the above procedure 
is not taken, the values of x^^, y^ given by the above 

25 equation can be calculated, and the values of x^, can 
then be recovered. In this case, the computational 
amount required for recovering generally increases. 
Furthermore, when the values of B as the parameter of 
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the Montgomery- form elliptic curve and s as the 
conversion parameter to the Montgomery- form elliptic 
curve are set to be small, the computational amount of 
multiplication in the step 1908 or 1914 can be reduced. 
5 A processing of the fast scalar multiplica- 

tion unit which outputs X^, Z^, X^+i, Z^+i, X^-i, Z^-i from 
the scalar value d and the point P on the Weierstrass- 
form elliptic curve will next be described with refer- 
ence to FIG. 10. 

10 The fast scalar multiplication unit 202 

inputs the point P on the Weierstrass-f orm elliptic 
curve inputted into the scalar multiplication unit 103, 
and outputs X^ and in the scalar-multiplied point 
dP= (X^, Y^, Zj) represented by the projective coordinate in 

15 the Montgomery- form elliptic curve, X^+i and Z^+i in the 
point (d+1 ) P= (X^+i, Yjj+i, Z^+i) on the Montgomery- form 
elliptic curve represented by the projective coordi- 
nate, and Xd_i and Z^_^ in the point (d-1 ) P= (X^_i, Y^-i, Z^-i) 
on the Montgomery- form elliptic curve represented by 

20 the projective coordinate by the following procedure. 

In step 1016, the given point P on the Weierstrass-f orm 
elliptic curve is transformed to the point represented 
by the projective coordinates on the Montgomery-form 
elliptic curve. This point is set anew as point P. In 

25 step 1001, the initial value 1 is assigned to the 

variable I. The doubled point 2P of the point P is 
calculated in step 1002. Here, the point P is 
represented as {x,y,l) in the projective coordinate. 



.J. O O H'^Si & «l" -w O T^.r^Su-.^i O E¥ 



158 

and the doubling formula in the projective coordinate 
of the Montgomery- form elliptic curve is used to 
calculate the doubled point 2P. In step 1003, the 
point P on the elliptic curve inputted into the scalar 
5 multiplication unit 103 and the point 2P obtained in 
the step 1002 are stored as a set of points (P,2P). 
Here, the points P and 2P are represented by the 
projective coordinate. It is judged in step 1004 
whether or not the variable I agrees with the bit 

10 length of the scalar value d. With agreement, m=d is 
satisfied and the flow goes to step 1014. With 
disagreement, the flow goes to step 1005. The variable 
I is increased by 1 in the step 1005. It is judged in 
step 1006 whether the value of the I-th bit of the 

15 scalar value is 0 or 1. When the value of the bit is 
0, the flow goes to the step 1007. When the value of 
the bit is 1, the flow goes to step 1010. In step 
1007, addition mP+(m+l)P of points mP and (m+l)P is 
performed from a set of points (mP, (m+l)P) represented 

20 by the projective coordinate, and the point (2m+l)P is 
calculated. Thereafter, the flow goes to step 1008. 
Here, the addition mP+(m+l)P is calculated using the 
addition formula in the projective coordinate of the 
Montgomery- form elliptic curve. In step 1008, doubling 

25 2 (mP) of the point mP is performed from the set of 
points (mP, (m+l)P) represented by the projective 
coordinate, and the point 2mP is calculated. There- 
after, the flow goes to step 1009. Here, the doubling 
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2 (mP) is calculated using the formula of doubling in 
the projective coordinate of the Montgomery- form 
elliptic curve. In the step 1009, the point 2mP 
obtained in the step 1008 and the point (2m4-l)P 
5 obtained in the step 1007 are stored as a set of points 
{2mP, (2m4-l)P) instead of the set of points (mP, 
(m+l)P). Thereafter, the flow returns to the step 
1004- Here, the points 2mP, (2m+l)P, mP, and (m+l)P 
are all represented in the projective coordinates. In 

10 step 1010, addition mP+(m+l)P of the points mP, (m+l)P 
is performed from the set of points (mP, (m+l)P) 
represented by the projective coordinates, and the 
point {2m+l)P is calculated. Thereafter, the flow goes 
to step 1011, Here, the addition mP+(m+l)P is calcu- 

15 lated using the addition formula in the projective 

coordinates of the Montgomery- form elliptic curve. In 
the step 1011, doubling 2((m+l)P) of the point {m+l)P 
is performed from the set of points (mP, (m+l)P) 
represented by the projective coordinates, and the 

20 point (2m+2)P is calculated- Thereafter, the flow goes 
to step 1012. Here, the doubling 2((m+l)P) is calcu- 
lated using the formula of doubling in the projective 
coordinates of the Montgomery-form elliptic curve. In 
the step 1012, the point (2m+l)P obtained in the step 

25 1010 and the point (2m+2)P obtained in the step 1011 

are stored as a set of points ( (2m+l) P, (2m+2) P) instead 
of the set of points (mP, (m+l)P) . Thereafter, the flow 
returns to the step 1004. Here, the points (2m+l)P, 
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(2m+2)P, mP, and (iu+l)P are all represented in the 
projective coordinates. In step 1014, X^_j^ and Z^^.^ are 
outputted as X^.i and Z^.^ of the point (m-l)P in the 
projective coordinates from the set of points 
5 (luP, (m+l)P) represented by the projective coordinates. 
Thereafter, the flow goes to step 1013. In the step 

1013, and Z^ as and Z^ from the point mP= (X^, Y„, Z^) 
represented by the projective coordinates, and X^+^ and 
Zm+i as X^^i and Z^^, of the point (m-f 1 ) P= (X^^^, Y^^^, Z^^J 

10 represented by the projective coordinates are outputted 
together with X^-i and Z^-i - Here, and Y^+i are not 
obtained, because the Y-coordinate cannot be obtained 
by the addition and doubling formulae in the projective 
coordinates of the Montgomery- form elliptic curve. In 

15 the above procedure, m and scalar value d are equal in 
the bit length and bit pattern, and are therefore 
equal . 

Moreover, when (m-l)P is obtained in step 

1014, it may be obtained by Equations 13, 14. If m is 
20 an odd number, a value of ((m-l)/2)P is separately held 

in the step 1012, and (m-l)P may be obtained from the 
value by the doubling formula of the Montgomery- form 
elliptic curve. 

The computational amount of the addition 
25 formula in the projective coordinates of" the 

Montgomery- form elliptic curve is 3M+2S with Zi=l . 
Here, M is the computational amount of multiplication 
on the finite field, and S is the computational amount 
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of squaring on the finite field. The computational 
amount of the doubling formula in the projective 
coordinates of the Montgomery- form elliptic curve is 
3M+2S. When the value of the I-th bit of the scalar 
5 value is 0, the computational amount of addition in the 
step 1007, and the computational amount of doubling in 
the step 1008 are required. That is, the computational 
amount of 6M+4S is required. When the value of the I- 
th bit of the scalar value is 1, the computational 

10 amount of addition in the step 1010, and the computa- 
tional amount of doubling in the step 1011 are 
required. That is, the computational amount of 6M+4S 
is required- In any case, the computational amount of 
6M+4S is required. The number of repetitions of the 

15 steps 1004, 1005, 1006, 1007, 1008, 1009, or the steps 
1004, 1005, 1006, 1010, 1011, 1012 is (bit length of 
the scalar value d)-l. Therefore, in consideration of 
the computational amount of doubling in the step 1002, 
and the computational amount necessary for the calcula- 

20 tion of (m-l)P in the step 1014, the entire computa- 
tional amount is { 6M-I-4S) k+M. Here, k is the bit length 
of the scalar value d. In general, since the computa- 
tional amount S is estimated to be of the order of 
S=0.8 M, the entire computational amount is approxi- 

25 mately (9.2k+3)M. For example, when the scalar value d 
indicates 160 bits (k=160), the computational amount of 
algorithm of the aforementioned procedure is about 1475 
M. The computational amount per bit of the scalar 
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value d is about 9.2 M. In A. Miyaji, T. Ono, H. 
Cohen, Efficient elliptic curve exponentiation using 
mixed coordinates. Advances in Cryptology Proceedings 
of ASIACRYPT' 98, LNCS 1514 (1998) pp. 51-65, the scalar 
5 multiplication method using the window method and mixed 
coordinates mainly including Jacobian coordinates in 
the Weierstrass-f orm elliptic curve is described as the 
fast scalar multiplication method. In this case, the 
computational amount per bit of the scalar value is 

10 estimated to be about 10 M. For example, when the 

scalar value d indicates 160 bits (k=160) , the computa- 
tional amount of the scalar multiplication method is 
about 1600 M. Therefore, the algorithm of the afore- 
mentioned procedure can be said to have a small 

15 computational amount and high speed. 

Additionally, instead of using the afore- 
mentioned algorithm in the fast scalar multiplication 
unit 202, another algorithm may be used as long as the 
algorithm outputs X^, Z^, >^d+i^ 2^+1 from the scalar value 

20 d and the point P on the Weierstrass-f orm elliptic 
curve at high speed. 

The computational amount required for 
recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 

25 13M+S+I, and this is far small as compared with the 
computational amount of (9.2k+l)M necessary for fast 
scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
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necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 
computational amount necessary for the fast scalar 
multiplication of the fast scalar multiplication unit. 
5 Assuming 1=40 M, S=0 . 8 M, the computational amount can 
be estimated to be about { 9 , 2k+56 . 8 ) M. For example, 
when the scalar value d indicates 160 bits (k=160) , the 
computational amount necessary for the scalar multipli- 
cation is about 1529 M, The Weierstrass-f orm elliptic 

10 curve is used as the elliptic curve, the scalar 
multiplication method is used in which the window 
method and the mixed coordinates mainly including the 
Jacobian coordinates are used, and the scalar- 
multiplied point is outputted as the affine coordi- 

15 nates. In this case, the required computational amount 
is about 1640 M, and as compared with this, the 
required computational amount is reduced. 

In a twelfth embodiment, the Weierstrass-f orm 
elliptic curve is used as the elliptic curve for 

20 input/output, and the Montgomery-form elliptic curve 
which can be transformed from the given Weierstrass- 
form elliptic curve is used for the internal calcula- 
tion. The scalar multiplication unit 103 calculates 
and outputs the scalar-multiplied point (X/, Yd"", Z^"") with 

25 the complete coordinate given thereto as the point of 
the projective coordinates in the Weierstrass-f orm 
elliptic curve from the scalar value d and the point P 
on the Weierstrass-f orm elliptic curve. The scalar 



value d and the point P on the Weierstrass-f orm 
elliptic curve are inputted into the scalar multipli- 
cation unit 103, and received by the scalar multipli- 
cation unit 202. The fast scalar multiplication unit 
5 202 calculates and in the coordinate of the 

scalar-multiplied point dP= (X^, Y^, Z^) represented by the 
projective coordinates in the Montgomery- form elliptic 
curve, Xd+i and Z^+i in the coordinate of the point 
(d+l ) P= (X^+i, Yd+i, Z^+i) on the Montgomery-form elliptic 

10 curve represented by the projective coordinates, and X^.] 
and Zci_i in the coordinate of the point (d-l)P= 
(Xd_i, Yd_i, Zj3_i) on the Montgomery-form elliptic curve 
represented by the projective coordinates from the 
received scalar value d and the given point P on the 

15 Weierstrass-form elliptic curve. The information is 
given to the coordinate recovering unit 203 together 
with the inputted point P=(x,y) on the Weierstrass-form 
elliptic curve represented by the projective coordi- 
nates. The coordinate recovering unit 203 recovers 

20 coordinate X/, Y/, Z^"^ of the scalar-multiplied point 

dP= (Xd"", Ycj"^, Z^"^) represented by the projective coordinates 
in the Weierstrass-form elliptic curve from the given 
coordinate values X^, Z^, X^+i, 2^+1, X^-i, Z^.-^, x, and y. 
The scalar multiplication unit 103 outputs the scalar- 

25 multiplied point (X/, Y^"^, Z^"^) with the coordinate 

completely given thereto in the projective coordinates 
on the Weierstrass-form elliptic curve as the calcula- 
tion result. 
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A processing of the coordinate recovering 
unit which outputs X/, Y/, Z^"" from the given coordi- 
nates X, y, Xd, Zd, Xd+i, Zd+i, Xd_i, Zd_i will next be 
described with reference to FIG. 20. 
5 The coordinate recovering unit 203 inputs X^ 

and Zd in the coordinate of the scalar-multiplied point 
dP= (X^, Yd, Zd) represented by the projective coordinates 
in the Montgomery-form elliptic curve, X^+i and Z^+i in 
the coordinate of the point (d+l ) P= (X^+i, Y^^^, Z^+i) on the 

10 Montgomery- form elliptic curve represented by the 

projective coordinates, X^^.^ and Z^.i in the coordinate of 
the point (d-1 ) P= (X^.i, Y^.i, Z^-i) on the Montgomery-form 
elliptic curve represented by the projective coordi- 
nates, and (x,y) as representation of the point P on 

15 Weierstrass-f orm elliptic curve in the projective 

coordinates inputted into the scalar multiplication 
unit 103, and outputs the scalar-multiplied point 
(X^""^ Y^"", Z^"") with the complete coordinate given thereto 
in the projective coordinates on the Weierstrass-f orm 

20 elliptic curve in the following procedure. Here, the 
affine coordinate of the inputted point P on the 
Montgomery- form elliptic curve is represented by (x,y), 
and the projective coordinate thereof is represented by 
(Xi,Yi,Zi). Assuming that the inputted scalar value is 

25 d, the affine coordinate of the scalar-multiplied point 
dP in the Montgomery- form elliptic curve is represented 
by (x^,y^), and the projective coordinate thereof is 
represented by {X^,Y^,Z^}. The affine coordinate of the 



point (d-l)P on the Montgomery- form elliptic curve is 
represented by (^d-i^Yd-i) f the projective coordinate 

thereof is represented by (X^.i, Y^.i/ Z^.i) . The affine 
coordinate of the point (d+l)P on the Montgomery- form 
5 elliptic curve is represented by (x^^^^, y^+J , and the 
projective coordinate thereof is represented by 

In step 2001 X^^iXZ^+i is calculated, and stored 
in the register T^. In step 2002 Z^.^xX^+i is calculated, 

10 and stored in the register T2 . In step 2003 T1-T2 is 

calculated. Here, X^_-^Z^+^ is stored in the register T^, 
Zd-i^d+i is stored in the register T2, and ^d-i^<i+i~'^di-i^<i+i is 
therefore calculated. The result is stored in the 
register T^ . In step 2004 Z^xx is calculated, and 

15 stored in the register T2 . In step 2005 X^-T2 is 

calculated. Here, Z^x is stored in the register T2, and 
X^-xZd is therefore calculated. The result is stored in 
the register T2 - In step 2006 a square of T2 is 
calculated. Here, X^-xZ^ is stored in the register T2, 

20 and . (X^-xZ^) ^ is therefore calculated. The result is 

stored in the register Tg . In step 2007 T^xTg is calcu- 
lated. Here, X^-iZd+i-Zd-iXd+i is stored in the register T^, 
(X^-xZ^)^ is stored in the register T2, and therefore 
(X^-xZd) ^ (Xd_iZd+i-Zd-iXd+i) is calculated. The result is 

25 stored in the register Y/. In step 2008 4Bxy is 

calculated. The result is stored in the register Tj. 
In step 2009 T2xZ^_,^ is calculated. Here, 4By is stored 
in the register T2, and 4ByZd+i is therefore calculated- 
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The result is stored in the register T2 . In step 2010 
T2xZd-i is calculated. Here, 4ByZd+i is stored in the 
register T2, and 4ByZd+iZd_i is therefore calculated. The 
result is stored in the register T2 - In step 2011 T2xZd 
5 is calculated. Here, 4ByZd^iZ^_i is stored in the 

register T2, and 4ByZd+iZd_iZd is therefore calculated. 
The result is stored in the register T2. In step 2012 
TsXXd is calculated. Here, 4ByZd+iZd-iZd is stored in the 
register T2, and 4ByZd^iZd_iZdXd is therefore calculated. 

10 The result is stored in the register T^. In step 2013 
T2xZd is calculated. Here, 4ByZd+iZd_iZd is stored in the 
register T2, and 4ByZd+iZd_iZdZd is therefore calculated. 
The result is stored in T2 - In step 2014 TgXs is 
calculated. Here the register T2 stores 4ByZd+iZd_iZd/ and 

15 therefore 4sByZd+iZd_iZdZd is calculated. The result is 
stored in the register . In step 2015 axZ^"^ is 
calculated. Here, the register Z^"^ stores 4sByZd+iZd_iZdZd/ 
and therefore 4asByZd+iZ^_;^Z^jZd is calculated. The result 
is stored in the register T2 - In step 2016 T1+T2 is 

20 calculated. Here, the register Ti stores 4ByZd+iZd_iZdXd, 
the register T2 stores 4asByZd+iZd_iZdZd/ and therefore 
4ByZd-,iZd_iZdXd+4asByZd^iZd_iZdZ^ is calculated. The result 
is stored in the register . Therefore, X^^ stores 
4ByZd+,Zd_,ZdXd+4asByZ^^iZ^_iZdZd- In the step 2007 (X^- 

25 xZ^i) ^ (Xd_iZd+i-Zd_iXd+i) is stored in the register Y/, and is 
not updated thereafter, and therefore the value is 
held. In the step 2014 4sByZd+iZd_iZdZd is stored in the 
register Z^j^, and is not updated thereafter, and there- 
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fore the value is held. 

A reason why all values in the projective 
coordinate (X/^Yd"", Z/) of the scalar-multiplied point in 
the Weierstrass-f orm elliptic curve are recovered from 
5 X, Y, X^, Zd, Xrf+i, Zd.,1, Xd-i, Zd_i given by the afore- 
mentioned procedure is as follows. Additionally, the 
point (d+l)P is a point obtained by adding the point P 
to the point dP, and the point (d-l)P is a point 
obtained by subtracting the point P from the point dP . 

10 Assignment to the addition formula in the affine 
coordinates of the Montgomery- form elliptic curve 
results in Equations 6, 7. When opposite sides are 
individually subjected to subtraction. Equation 8 is 
obtained. Therefore, Equation 9 results. Here, 

15 Xd=Xd/Zd, Xd+i=Xd+i/Zd+i, Xd-i=Xd_i/Zd-i . The value is assigned 
and thereby converted to a value of the projective 
coordinate. Then, Equation 10 is obtained. 
Although x^^X^/Z^^ the reduction to the denominator 
common with that of y^ is performed, and Equation 20 

20 results. As a result, the following equation is 
obtained. 

-{^d-\^d^\ ~ ^d-\^d^\){^d "^d^) 
. . . Equation 56 

Then, the followings are obtained. 



25 



. . . Equation 57 
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. . . Equation 58 

Here, {X' ^,Y' Z' ^) = {X^rY^, Z^) . The correspondence 
between the point on the Montgomery- form elliptic curve 
5 and the point on the Weierstrass-f orm elliptic curve is 
described in K.Okeya, H.Kurumatani, K.Sakurai, Elliptic 
Curves with the Montgomery- form and Their Cryptographic 
Applications, Public Key Cryptography, LNCS 1751 (2000) 
pp. 238-257. Thereby, when the conversion parameters 
10 are s, a, the relation is Y^^=Y' X^^'^-X' ^+olZ^'' , and 
Z/=sZ'd- As a result, the following equations are 
obtained. 

- i^d-i^d+i ~^d-\^d^\i^d ~^d^) 
- . . Equation 59 

15 = 4ByZ,,,Z,_,Z,X, + a4sByZ,,,Z,_,Z,Z, 

, . • Equation 60 

ZJ =4sByZ,,,Z,_,Z,Z, 

. . . Equation 61 

Here, X^"", Y/, Z^"^ are given by FIG. 20. Therefore, all 
20 the values of the projective coordinate (X^^ , Y^^ , Z^"^) in 
the Weierstrass-f orm elliptic curve are recovered. 

For the aforementioned procedure, in the 
steps 2001, 2002, 2004, 2007, 2008, 2009, 2010, 2011, 
2012, 2013, 2014, and 2015, the computational amount of 
25 multiplication on the finite field is required. More- 
over, the computational amount of squaring on the 
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finite field is required in the step 2006. The 
computational amounts of addition and subtraction on 
the finite field are relatively small as compared with 
the computational amount of multiplication on the 
5 finite field and the computational amount of squaring, 
and may therefore be ignored. Assuming that the 
computational amount of multiplication on the finite 
field is M, and the computational amount of squaring on 
the finite field is the above procedure requires a 

10 computational amount of 12M+S. This is far small as 
compared with the computational amount of the fast 
scalar multiplication. For example, when the scalar 
value d indicates 160 bits, the computational amount of 
the fast scalar multiplication is estimated to be a 

15 little less than about 1500 M. Assuming 3=0.8 M, the 
computational amount of coordinate recovering is 12.8 
M, and far small as compared with the computational 
amount of the fast scalar multiplication. Therefore, 
it is indicated that the coordinate can efficiently be 

20 recovered - 

Additionally, even when the above procedure 
is not taken, the values of X/, Y/, given by the 

above equation can be calculated, and the values of X^"^, 
Yd"", Zd"^ can then be recovered. Moreover, when the 
25 scalar-multiplied point dP in the affine coordinates in 
the Weierstrass-f orm elliptic curve is dP= (x^", y^"^) , the 
values of X^"", Y/, are selected so that x/, y/ take 

the values given by the aforementioned equations, the 
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values can be calculated, and then X/, Y^"", Z^^ can be 
recovered. In this case, the computational amount 
required for recovering generally increases. Further- 
more, when the values of B as the parameter of the 
5 Montgomery- form elliptic curve and s as the conversion 
parameter to the Montgomery- form elliptic curve are set 
to be small, the computational amount of multiplication 
in the step 2008 or 2014 can be reduced. 

An algorithm which outputs X^, Z^/ X^+i, Z^+i/ 

10 X^_i, Zd_i from the scalar value d and the point P on the 
Weierstrass-f orm elliptic curve will next be described. 

As the fast scalar multiplication method of 
the scalar multiplication unit 202 of the twelfth 
embodiment, the fast scalar multiplication method of 

15 the eleventh embodiment is used. Thereby, as the 

algorithm which outputs X^/ Z^, X^+i, 2^+^, X^-i/ Z^.i from 
the scalar value d and the point P on the Weierstrass- 
form elliptic curve, a fast algorithm can be achieved. 
Additionally, instead of using the aforementioned 

20 algorithm in the scalar multiplication unit 202, any 

algorithm may be used as long as the algorithm outputs 
X^, Zdf X^+i, Zd+i, Z^_i from the scalar value d and 

the point P on the Weierstrass-f orm elliptic curve at 
high speed. 

2 5 The computational amount required for 

recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
12M+S, and this is far small as compared with the 
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computational amount of (9.2k+l)M necessary for fast 
scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
necessary for the scalar multiplication of the scalar 
5 multiplication unit 103 is substantially equal to the 
computational amount necessary for the fast scalar 
multiplication of the fast scalar multiplication unit. 
Assuming that S=0 . 8 M, the computational amount can be 
estimated to be about ( 9 . 2k+13 . 8 ) M. For example, when 

10 the scalar value d indicates 160 bits (k=160), the 

computational amount necessary for the scalar multipli- 
cation is about 1486 M. The Weierstrass-f orm elliptic 
curve is used as the elliptic curve, the scalar 
multiplication method is used in which the window 

15 method and the mixed coordinates mainly including the 
Jacobian coordinates are used, and the scalar- 
multiplied point is outputted as the Jacobian coordi- 
nates. In this case, the required computational amount 
is about 1600 M, and as compared with this, the 

2 0 required computational amount is reduced. 

In a thirteenth embodiment, the Weierstrass- 
form elliptic curve is used as the elliptic curve for 
input/output, and the Montgomery-form elliptic curve 
which can be transformed from the given Weierstrass- 

25 form elliptic curve is used for the internal calcula- 
tion. The scalar multiplication unit 103 calculates 
and outputs the scalar-multiplied point {x^'^rYd') with 
the complete coordinate given thereto as the point of 
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the affine coordinates in the Weierstrass-f oriu elliptic 
curve from the scalar value d and the point P on the 
Weierstrass-f orm elliptic curve. The scalar value d 
and the point P on the Weierstrass-f orm elliptic curve 
5 are inputted into the scalar multiplication unit 103, 
and received by the scalar multiplication unit 202. 
The fast scalar multiplication unit 202 calculates in 
the coordinate of the scalar-multiplied point dP={K^fY^} 
represented by the affine coordinates in the 

10 Montgomery-form elliptic curve, x^+i in the coordinate of 
the point (d+1 ) P= (x^+i/ yd+i) on the Montgomery- form 
elliptic curve represented by the affine coordinates, 
and Xj.i in the coordinate of the point (d-1 ) P= (x^.i, y^i.i) 
on the Montgomery- form elliptic curve represented by 

15 the affine coordinates from the received scalar value d 
and the given point P on the Weierstrass-f orm elliptic 
curve. The information is given to the coordinate 
recovering unit 203 together with the inputted point 
P=(x,y) on the Montgomery- form elliptic curve 

20 represented by the affine coordinates. The coordinate 
recovering unit 203 recovers coordinate of the 

scalar-multiplied point dP= (Xd"", y^"") represented by the 
affine coordinates in the Weierstrass-f orm elliptic 
curve from the given coordinate values x^, x^+i, ^d-if ^/ 

25 and y. The scalar multiplication unit 103 outputs the 
scalar-multiplied point (Xd"", y^"") with the coordinate 
completely given thereto in the affine coordinates on 
the Weierstrass-f orm elliptic curve as the calculation 



result • 

A processing of the coordinate recovering 
unit which outputs x/, y^'' from the given coordinates x, 
y, x^i, ^d+if ^d-i will next be described with reference to 
5 FIG. 21. 

The coordinate recovering unit 203 inputs x^ 
in the coordinate of the scalar-multiplied point 
dP=(Xd,yd) represented by the affine coordinates in the 
Montgomery-form elliptic curve, x^+i in the coordinate of 

10 the point (d+1 ) P= (x^^.^, y^^^^) on the Montgomery- form 

elliptic curve represented by the affine coordinates, 
x^_i in the coordinate of the point (d-l ) P= (x^.i, yd-i) on 
the Montgomery-form elliptic curve represented by the 
affine coordinates, and (x,y) as representation of the 

15 point P on the Montgomery-form elliptic curve in the 
affine coordinates inputted into the scalar multipli- 
cation unit 103, and outputs the scalar-multiplied 
point (Ka^rYd"^) with the complete coordinate given 
thereto in the affine coordinates in the following 

2 0 procedure. 

In step 2101 x^-x is calculated, and stored in 
the register T^. In step 2102 a square of Ti, that is, 
(x^-x)^ is calculated, and stored in the register . In 
step 2103 Xd_i-Xd+i is calculated, and stored in T2 . In 
25 step 2104 T1XT2 is calculated. Here, (x^-x)^ is stored 

in the register T^, Xd-i-x^+i is stored in the register T2, 
and therefore (x^-x) ^ (x^-i-x^^i) is calculated. The result 
is stored in the register T^ . In step 2105 4Bxy is 
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calculated, and stored in the register T2 . In step 2106 
the inverse element of T2 is calculated. Here, 4By is 
stored in the register T2, and l/4By is therefore calcu- 
lated. The result is stored in the register T2. In 
5 step 2107 T1XT2 is calculated. Here, (x^-x) ^ (Xd-i-x^+i) is 
stored in the register T^, l/4By is stored in the 
register T2, and (Xd-x) ^ (x^.i-x^+i ) /4By is therefore calcu- 
lated. The result is stored in the register T^. In 
step 2108 T^xs"^ is calculated. Here, (x^-x) ^ (x^^i-Xd+i) / 

10 4By is stored in the register T^, and therefore (x^- 

^ (^d-i-^d+i) /4sBy is calculated. The- result is stored 
in the register y^"^. Additionally, since s is given 
beforehand, s~^ can be calculated beforehand. In step 
2109 XrfXs"^ is calculated. The result is stored in the 

15 register T^. In step 2110 T^+a is calculated. Here 

s'^Xd is stored in the register T^, and therefore s'^x^+a 
is calculated. The result is stored in the register 
Xd"^. Therefore, s'^x^+a is stored in the register x^"". 
In the step 2108, since (x^i-x) ^ (Xd-i-x^+i) /4sBy is stored 

20 in the register y^"^, and is not updated thereafter, the 
inputted value is held. 

A reason why the y-coordinate of the 
scalar-multiplied point is recovered by the afore- 
mentioned procedure is as follows. Additionally, the 

25 point (d+l)P is a point obtained by adding the point P 
to the point dP, and the point (d-l)P is a point 
obtained by subtracting the point P from the point dP . 
Thereby, assignment to the addition formulae in the 
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affine coordinates of the Montgomery- form elliptic 
curve results in Equations 6, 7. When the opposite 
sides are individually subjected to subtraction. 
Equation 8 is obtained. Therefore, Equation 9 results, 
5 The correspondence between the point on the Montgomery- 
form elliptic curve and the point on the Weierstrass- 
form elliptic curve is described in K.Okeya, 
H.Kurumatani, K^Sakurai, Elliptic Curves with the 
Montgomery- Form and Their Cryptographic Applications, 
10 Public Key Cryptography, LNCS 1751 (2000) pp. 238-257. 
Thereby, when the conversion parameters are s, a, the 
relation is yd''=s"^yd/ and s"^x^^+a. As a result, the 

following equations are obtained. 

= (^^-1 -xy/4sBy 
15 ... Equation 62 

. . . Equation 63 

Here, x/, y/ are given by FIG. 21. There- 
fore, all values of the affine coordinate {x^^,y^) are 
20 recovered. 

For the aforementioned procedure, in the 
steps 2104, 2105, 2107, 2108 and 2109, the computa- 
tional amount of multiplication on the finite field is 
required. Moreover, the computational amount of 
25 squaring on the finite field is required in the step 
2102. Furthermore, the computational amount of the 
inversion on the finite field is required in the step 
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2106. The computational amounts of addition and 
subtraction on the finite field are relatively small as 
compared with the computational amounts of multiplica- 
tion, squaring, and inversion on the finite field, and 
5 may therefore be ignored. Assuming that the computa- 
tional amount of multiplication on the finite field is 
M, the computational amount of squaring on the finite 
field is S, and the computational amount of inversion 
on the finite field is I, the above procedure requires 

10 a computational amount of 5M+S+I. This is far small as 
compared with the computational amount of the fast 
scalar multiplication. For example, when the scalar 
value d indicates 160 bits, the computational amount of 
the fast scalar multiplication is estimated to be a 

15 little less than about 1500 M, Assuming S==0.8 M and 
1=4 0 M, the computational amount of coordinate 
recovering is 45.8 M, and far small as compared with 
the computational amount of the fast scalar multipli- 
cation. Therefore, it is indicated that the coordinate 

20 can efficiently be recovered. 

Additionally, even when the above procedure 
is not taken, but when the values of the right side of 
the above equation can be calculated, the value of y^"" 
can be recovered. In this case, the computational 

25 amount required for recovering generally increases. 

Furthermore, when the values of B as the parameter of 
the Montgomery- form elliptic curve and s as the conver- 
sion parameter to the Montgomery- form elliptic curve 
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are set to be small, the computational amount of 
multiplication in the steps 2105, 2108, 2109 can be 
reduced - 

A processing of the fast scalar multipli- 
5 cation unit which outputs x^, ^d+i/ ^c^-i from the scalar 
value d and the point P on the Weierstrass-f orm 
elliptic curve will next be described with reference to 
FIG. 24. 

The fast scalar multiplication unit 202 

10 inputs the point P on the Weierstrass-f orm elliptic 

curve inputted into the scalar multiplication unit 103, 
and outputs x^j in the scalar-multiplied point dP== (x^, y^) 
represented by the affine coordinate in the Montgomery- 
form elliptic curve, x^^^ in the point (d+1 ) P= (x^+i, yd+i) 

15 on the Montgomery- form elliptic curve represented by 
the affine coordinate, and Xci_i in the point (d-l)P= 
i^d-ifYd-i) on the Montgomery- form elliptic curve 
represented by the affine coordinate by the following 
procedure. In step 2416, the point P on the given 

20 Weierstrass-f orm elliptic curve is transformed to the 
point by the projective coordinates on the Montgomery- 
form elliptic curve. This point is set anew to the 
point P. In step 2401, the initial value 1 is assigned 
to the variable I. The doubled point 2P of the point P 

25 is calculated in step 240,2. Here, the point P is 

represented as {x,y, 1) in the projective coordinate, 
and the formula of doubling in the projective coordi- 
nate of the Montgomery-form elliptic curve is used to 
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calculate the doubled point 2P. In step 2403, the 
point P on the elliptic curve inputted into the scalar 
multiplication unit 103 and the point 2P obtained in 
the step 2402 are stored as a set of points (P,2P). 
5 Here, the points P and 2P are represented by the 
projective coordinate. It is judged in step 2404 
whether or not the variable I agrees with the bit 
length of the scalar value d. With agreement, m=d is 
satisfied and the flow goes to step 2414. With 

10 disagreement, the flow goes to step 2405. The variable 
I is increased by 1 in the step 2405. It is judged in 
step 2406 whether the value of the I-th bit of the 
scalar value is 0 or 1. When the value of the bit is 
0, the flow goes to the step 2407. When the value of 

15 the bit is 1, the flow goes to step 2410. In step 
2407, addition mP+(m+l)P of points mP and (m+l)P is 
performed from the set of points (mP, {m+l)P) 
represented by the projective coordinate, and the point 
{2m+l)P is calculated. Thereafter, the flow goes to 

20 step 2408. Here, the addition mP+(m+l)P is calculated 
using the addition formula in the projective coordinate 
of the Montgomery- form elliptic curve. In step 2408, 
doubling 2 (mP) of the point mP is performed from the 
set of points (mP, (m+l)P) represented by the projective 

25 coordinate, and the point 2mP is calculated. There- 
after, the flow goes to step 2409. Here, the doubling 
2(mP) is calculated using the formula of doubling in 
the projective coordinate of the Montgomery- form 
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elliptic curve. In the step 2409, the point 2mF 
obtained in the step 2 408 and the point (2m+l)P 
obtained in the step 2407 are stored as the set of 
points (2mP, (2itn-l)P) instead of the set of points 
5 (mP, (itH-l)P) . Thereafter, the flow returns to the step 
2404. Here, the points 2inP, (2m+l)P, mP, and (m4-l)P 
are all represented in the projective coordinates. In 
step 2410, addition mP+{m+l)P of the points mP, (iti+DP 
is performed from the set of points (mP, (m+l)P) 

10 represented by the projective coordinates, and the 

point (2m+l)P is calculated. Thereafter, the flow goes 
to step 2411. Here, the addition mP+(m+l)P is calcu- 
lated using the addition formula in the projective 
coordinates of the Montgomery- form elliptic curve. In 

15 the step 2411, doubling 2((m+l)P) of the point (m+l)P 
is performed from the set of points (mP, (m+l)P) 
represented by the projective coordinates, and the 
point (2m+2)P is calculated. Thereafter, the flow goes 
to step 2412. Here, the doubling 2((m+l)P) is calcu- 

20 lated using the formula of doubling in the projective 
coordinates of the Montgomery- form elliptic curve. In 
the step 2412, the point (2m+l)P obtained in the step 
2410 and the point (2m+2)P obtained in the step 2411 
are stored as the set of points ( (2m+l ) P, {2m+2 ) P) 

25 instead of the set of points (mP, (m+l)P). Thereafter, 
the flow returns to the step 2404. Here, the points 
(2m+l)P, (2m+2)P, mP, and (m+l)P are all represented in 
the projective coordinates. In step 2414, from the set 
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of points (mP, (ni+l)P) represented by the projective 
coordinates, X-coordinate X^^.i and Z-coordinate Z^^.i in 
the projective coordinates of the point {m-l)P are 
obtained as X^-i and Z^.^. Thereafter, the flow goes to 
5 step 2415. In the step 2415, X^ and are obtained as 
Xd and Zd from the point mP= (X^, Y^,, Z^^) represented by the 
projective coordinates, and X^+i and Z^^+i are obtained as 
Xd+i and Z^^i from the point (m+1 ) P= (X^^i, Y^^^, Z^,,) 
represented by the projective coordinates. Here, Y^ and 

10 Y^+i are not obtained, because Y-coordinate cannot be 
obtained by the addition and doubling formulae in the 
projective coordinates of the Montgomery- form elliptic 
curve. From X^.i, Z^-i/ X^, Z^, X^^^ and Z^^^r x^-i, x^, x^+i 
are obtained as in Equations 24, 25, 26. Thereafter, 

15 the flow goes to step 2413. In the step 2413, x^.^, x^, 
Xd+i are outputted- In the above procedure, m and scalar 
value d are equal in the bit length and bit pattern, 
and are therefore equal. Moreover, when (m-l)P is 
obtained in step 2414, it may be obtained by Equations 

20 13, 14. If m is an odd number, the value of ((m-l)/2)P 
is separately held in the step 2412, and (m-l)P may be 
obtained from the value by the doubling formula of the 
Montgomery-form elliptic curve. 

The computational amount of the addition 

25 formula in the projective coordinates of the 

Montgomery-form elliptic curve is 3M+2S with Zi=l . 
Here, M is the computational amount of multiplication 
on the finite field, and S is the computational amount 



of squaring on the finite field- The computational 
amount of the doubling formula in the projective 
coordinates of the Montgomery-form elliptic curve is 
3M+2S. When the value of the I-th bit of the scalar 
5 value is 0, the computational amount of addition in the 
step 2407, and the computational amount of doubling in 
the step 2408 are required- That is, the computational 
amount of 6M+4S is required- When the value of the I~ 
th bit of the scalar value is 1, the computational 

10 amount of addition in the step 2410, and the computa- 
tional amount of doubling in the step 2411 are 
required. That is, the computational amount of 6M+4S 
is required. In any case, the computational amount of 
6M+4S is required. The number of repetitions of the 

15 steps 2404, 2405, 2406, 2407, 2408, 2409, or the steps 
2404, 2405, 2406, 2410, 2411, 2412 is (bit length of 
the scalar value d)-l. Therefore, in consideration of 
the computational amount of doubling in the step 2402, 
the computational amount necessary for the calculation 

20 of (m-l)P in the step 2414, and the computational 

amount of the transform to the affine coordinates in 
the step 2415, the entire computational amount is 
(6M+4S) k+llM+I . Here, k is the bit length of the 
scalar value d. In general, since the computational 

25 amount S is estimated to be of the order of S=0.8 M, 
and the computational amount I is estimated to be of 
the order of 1=^40 M, the entire computational amount is 
approximately (9.2k+51)M. For example, when the scalar 
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value d indicates 160 bits (k=160), the computational 
amount of algorithm of the aforementioned procedure is 
about 1523 M. The computational amount per bit of the 
scalar value d is about 9.2 M. In A. Miyaji, T. Ono, 
5 H, Cohen, Efficient elliptic curve exponentiation using 
mixed coordinates. Advances in Cryptology Proceedings 
of ASIACRYPT' 98, LNCS 1514 (1998) pp. 51-65, the scalar 
multiplication method using the window method and mixed 
coordinates mainly including Jacobian coordinates in 

10 the Weierstrass-f orm elliptic curve is described as the 
fast scalar multiplication method. In this case, the 
computational amount per bit of the scalar value is 
estimated to be about 10 M. Additionally, the 
computational amount of the transform to the affine 

15 coordinates is required- For example, when the scalar 
value d indicates 160 bits (k=160), the computational 
amount of the scalar multiplication method is about 
1640 M. Therefore, the algorithm of the aforementioned 
procedure can be said to have a small computational 

2 0 amount and high speed - 

Additionally, instead of using the afore- 
mentioned algorithm in the scalar multiplication unit 
202, any algorithm may be used as long as the algorithm 
outputs Xd_i/ Xd/ Xd+i from the scalar value d and the 

25 point P on the Weierstrass-f orm elliptic curve at high 
speed. 

In a fourteenth embodiment, the scalar 
multiplication unit 103 calculates and outputs the 
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scalar-multiplied point (^^fYd) with the complete 
coordinate given thereto as the point of the affine 
coordinates in the Montgomery- form elliptic curve from 
the scalar value d and the point P on the Montgomery- 
5 form elliptic curve. The scalar value d and the point 
P on the Montgomery- form elliptic curve are inputted 
into the scalar multiplication unit 103, and received 
by the scalar multiplication unit 202. The fast scalar 
multiplication unit 202 calculates and in the 

10 coordinate of the scalar-multiplied point dP= (X^, Y^, Z^) 
represented by the projective coordinates in the 
Montgomery- form elliptic curve, and X^^^ and Z^+i in the 
coordinate of the point (d+1 ) P= (X^^.^, Y^+i, Z^+i) on the 
Montgomery-form elliptic curve represented by the 

15 projective coordinates from the received scalar value d 
and the given point P on the Montgomery-form elliptic 
curve. The information is given to the coordinate 
recovering unit 203 together with the inputted point 
P=(x,y) on the Montgomery-form elliptic curve 

20 represented by the affine coordinates. The coordinate 
recovering unit 203 recovers coordinate and y^ of the 
scalar-multiplied point dP= (k^, y^) represented by the 
affine coordinates in the Montgomery-form elliptic 
curve from the given coordinate values X^, Z^, ^d+i/ Z^+i, 

25 X, and y. The scalar multiplication unit 103 outputs 
the scalar-multiplied point (x^j^y^) with the coordinate 
completely given thereto in the affine coordinates as 
the calculation result* 
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A processing of the coordinate recovering 
unit which outputs x^/ Yd from the given coordinates 
y, Z^/ Xd+i/ Z^+i will next be described with reference 

to FIG, 34. 

5 The coordinate recovering unit 203 inputs 

and Zd in the coordinate of the scalar-multiplied point 
dP= (X^f Zd) represented by the projective coordinates 
in the Montgomery- form elliptic curve, X^+i and Z^+i in 
the coordinate of the point (d+1 ) (X^+^, Y^+i, Z^+i) on the 

10 Montgomery-form elliptic curve represented by the 

projective coordinates, and (x,y) as representation of 
the point P on Montgomery-form elliptic curve inputted 
into the scalar multiplication unit 103 in the affine 
coordinates, and outputs the scalar-multiplied point 

15 (x^, y^) with the complete coordinate given thereto in 
the affine coordinates in the following procedure. 
Here, the affine coordinate of the inputted point P on 
the Montgomery- form elliptic curve is represented by 
(x,y), and the projective coordinate thereof is 

20 represented by (Xi,Yi,Zi). Assuming that the inputted 

scalar value is d, the affine coordinate of the scalar- 
multiplied point dP in the Montgomery- form elliptic 
curve is represented by {x^^ y^) , and the projective 
coordinate thereof is represented by {X^fY^^Z^). The 

25 affine coordinate of the point (d+l)P on the 

Montgomery-form elliptic curve is represented by 
(^d+i/ Yd+i) / ^^ci the projective coordinate thereof is 
represented by {X^+i, Y^^^, Z^.J . 
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In step 3401, xxZ^ is calculated and stored in 
the register T^. In step 3402 X^^+T^ is calculated. 
Here, xZ^ is stored in the register T^, and therefore 
xZj+Xd is calculated. The result is stored in the 
5 register T2 . In step 3403 X^-Ti is calculated, here the 
register stores xZ^/ and therefore xZ^-X^ is calcu- 
lated. The result is stored in the register T3. In 
step 3404 a square of the register T3 is calculated. 
Here, xZ^-X^ is stored in the register T3, and therefore 

10 (X^-xZ^)^ is calculated. The result is stored in the 
register T3. In step 3405 T3xXd+i is calculated. Here, 
(X^-xZ^)^ is stored in the register T3, and therefore 
X^+i (X^-xZd) ^ is calculated. The result is stored in the 
register T3, In step 3406 2AxZ^ is calculated, and 

15 stored in the register T^ . In step 3407 T2+T1 is 

calculated- Here, xZ^+X^ is stored in the register T2, 
2AZ^j is stored in the register T^, and therefore 
xZd+X^+2AZd is calculated- The result is stored in the 
register T2 . In step 3408 xxX^ is calculated and stored 

20 in the register T4 . In step 3409 T^+Z^ is calculated. 

Here, the register T4 stores xX^, and therefore xX^+Z^ is 
calculated. The result is stored in the register T4 . 
In step 3410 T2XT4 is calculated. Here T2 stores 
xZd+Xd+2AZd, the register T4 stores xX^+Z^, and therefore, 

25 (xZd+Xd+2AZd) (xXd+Z^) is calculated. The result is 
stored in the register Tg . In step 3411 T^xZ^ is 
calculated. Here, since the register T^ stores 2AZ^, 
2AZj is calculated. The result is stored in the 
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register . In step 3412 T2-T1 is calculated. Here 
(xZd+Xd+2AZd) (xXd+Zd) is stored in the register T2, 2AZ/ 
is stored in the register T^, and therefore 
(xZd+X^+2AZd) (xX^+Zd) "-2AZ/ is calculated. The result is 
5 stored in the register T^. In step 3413 T2xZd+i is 

calculated. Here (xZd+Xd+2AZd) (xX^+Zd) -2AZd^ is stored in 
the register T2, and therefore, Z^^^ ( (xZd+Xd+2AZd) (xX^+Zd) - 
2KZ^) is calculated. The result is stored in the 
register T2 . In step 3414 T2-T3 is calculated. Here 

10 Zd+i ( (xZ^+Xd+2AZJ (xXd+Zd) -2AZ/) is stored in the register 
T2/ X^+i (Xd-xZd) ^ is stored in the register T3, and 
therefore Z^^^ ( (xZd+Xd+2AZ J (xX^+Z J -2AZ/) -X^^, (X^-xZ J ' is 
calculated. The result is stored in the register T2 . 
In step 3415 2Bxy is calculated, and stored in the 

15 register T^. In step 3416 T^xZ^ is calculated. Here, 

2By is stored in the register T^, and therefore 2ByZd is 
calculated. The result is stored in the register T^. 
In step 3417 T^xZ^^^ is calculated. Here the register T^ 
stores 2ByZd, and therefore 2ByZdZd+i is calculated. The 

20 result is stored in the register T^. In step 3418 T^xZ^ 
is calculated. Here the register T^ stores 2ByZdZd+i, 
and therefore IBy'Z.^Z^^^Z^ is calculated. The result is 
stored in the register T3. In step 3419 the inverse 
element of the register T3 is stored. Here the register 

25 T3 stores 2ByZdZd^.iZd, and therefore l/2ByZdZd,.iZd is 

calculated. The result is stored in the register T3. 
In step 3420 T2XT3 is calculated. Here, the register T2 
stores Z^,, ( (xZd+Xd+2AZJ (xX^+ZJ -2AZ/) -X^.^ (X^-xZJ % the 
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register T3 stores l/2ByZdZd+iZd, and therefore 
{Zd+i( {xZd+Xd+2AZJ (xX^+ZJ -2AZ/)-Xd^i(Xd-xZd)'}/2ByZdZd+iZd is 
calculated. The result is stored in the register y^. 
In step 3421 T^xX^ is calculated. Here the register Ti 
5 stores 2ByZciZd+i, and therefore 2ByZdZd+iXd is calculated. 
The result is stored in the register T^. In step 3422 
T1XT3 is calculated. Here, the register T^^ stores 
2ByZdZd+iXd, the register T3 stores l/2ByZdZd+iZd/ and 
therefore 2ByZdZ^^iXd/2ByZdZd_,iZd (=Xd/Zd) is calculated. 
10 The result is stored in x^. In the step 3420 since 

{Zd^i( {xZd+X^+2AZJ (xX^+ZJ -2AZ/)-X^,,{Xd-xZj'}/2ByZ^Z^^,Z^ is 
stored in y^, and is not updated thereafter, the value 
is held. 

A reason why all the values in the affine 
15 coordinate (x^, y^) of the scalar-multiplied point in the 
Montgomery- form elliptic curve are recovered from x, y, 
Xj, Z^, ^d+i/ 2^+1 given to the coordinate recovering unit 
203 by the aforementioned procedure is as follows. 
Additionally, the point (d+l)P is a point obtained by 
20 adding the point P to the point dP. The assignment to 
the addition formulae in the affine coordinates of the 
Montgomery-form elliptic curve results in Equation 6. 
Since the points P and dP are points on the Montgomery- 
form elliptic curve, BY^^=K^^-i-Ax^^'^K^ and By^=xVAx^+x are 
25 satisfied. When the value is assigned to Equation 6, 
By/ and By^ are deleted, and the equation is arranged, 
the following is obtained. 
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= i^,^ + + X -h 2^) - 2^ - (x, - x)' }/(25y) 
. . . Equation 64 

Here, x^=X^/Z^, Xd+i=Xd+i/Zd4.i - The value is assigned and 
thereby converted to the value of the projective 
5 coordinate. Then, the following equation is obtained. 

y, = {z,,,((X,x + Z,)(Jr, +xZ,+2AZ,)-2AZ',)-iX, -xZ.f X,,,]/{2ByZ,Z,^,Z,) 

. - . Equation 65 

Although -k^^X^/Z^, the reduction to the denominator 
10 common with that of is performed for the purpose of 
reducing the frequency of inversion, and following 
equation is obtained- 

X, =(2ByZ,Z,,,X,WByZ,Z 

. . . Equation 66 

15 Here, x^/ yd are given by the processing of FIG. 34, 
Therefore, all values of the affine coordinate (x^/ y^i) 
are recovered. 

For the aforementioned procedure, in the 
steps 3401, 3405, 3406, 3408, 3410, 3411, 3413, 3415, 

20 3416, 3417, 3418, 3420, 3421, and 3422, the computa- 
tional amount of multiplication on the finite field is 
required. Moreover, the computational amount of 
squaring on the finite field is required in the step 
3404. Moreover, in the step 3419 the computational 

25 amount of inversion on the finite field is required. 
The computational amounts of addition and subtraction 
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on the finite field are relatively small as compared 
with the computational amounts of multiplication, 
squaring, and inversion on the finite field, and may 
therefore be ignored. Assuming that the computational 
5 amount of multiplication on the finite field is M, the 
computational amount of squaring on the finite field is 
S, and the computational amount of inversion on the 
finite field is I, the above procedure requires a 
computational amount of 14M+S+I. This is far small as 

10 compared with the computational amount of the fast 
scalar multiplication. For example, when the scalar 
value d indicates 160 bits, the computational amount of 
the fast scalar multiplication is estimated to be a 
little less than about 1500 M. Assuming S=0 . 8 M, 1=40 

15 M, the computational amount of coordinate recovering is 
54.8 M, and far small as compared with the computa- 
tional amount of the fast scalar multiplication. 
Therefore, it is indicated that the coordinate can 
efficiently be recovered. 

20 Additionally, even when the above procedure 

is not taken, but if the values of x^, yd given by the 
above equation can be calculated, the values of x^, yd 
can be recovered. In this case, the computational 
amount required for recovering generally increases. 

25 Furthermore, when the value of A or B as the parameter 
of the elliptic curve is set to be small, the computa- 
tional amount of multiplication in the step 3406 or 
3415 can be reduced. 
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A processing of the fast scalar multiplica- 
tion unit which outputs X^, Z^, X^+i/ Z^+i from the scalar 
value d and the point P on the Montgomery- form elliptic 
curve will next be described. 
5 As the fast scalar multiplication method of 

the scalar multiplication unit 202 of the fourteenth 
embodiment, the fast scalar multiplication method of 
the first embodiment is used. Thereby, as the 
algorithm which outputs X^, Z^, X^+i, Z^^^ from the scalar 

10 value d and the point P on the Montgomery- form elliptic 
curve, the fast algorithm can be achieved. Addition- 
ally, instead of using the aforementioned algorithm in 
the scalar multiplication unit 202, any algorithm may 
be used as long as the algorithm outputs X^, Z^, X^+i, Z^+i 

15 from the scalar value d and the point P on the 
Montgomery- form elliptic curve at high speed. 

The computational amount required for 
recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 

20 14M+S+I, and this is far small as compared with the 

computational amount of (9.2k-4.6)M necessary for fast 
scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
necessary for the scalar multiplication of the scalar 

25 multiplication unit 103 is substantially equal to the 
computational amount necessary for the fast scalar 
multiplication of the fast scalar multiplication unit. 
Assuming that 1=4 0 M, S=0-8 M, the computational amount 
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can be estimated to be about (9.2k+50)M. For example, 
when the scalar value d indicates 160 bits (k=160), the 
computational amount necessary for the scalar multipli- 
cation is 1522 M. The Weierstrass-f orm elliptic curve 
5 is used as the elliptic curve, the scalar multiplica- 
tion method is used in which the window method and the 
mixed coordinates mainly including the Jacobian 
coordinates are used, and the scalar-multiplied point 
is outputted as the affine coordinates. In this case, 

10 the required computational amount is about 164 0 M, and 
as compared with this, the required computational 
amount is reduced . 

In a fifteenth embodiment, the scalar 
multiplication unit 103 calculates and outputs the 

15 scalar-multiplied point (X^^Y^,Z^) with the complete 

coordinate given thereto as the point of the projective 
coordinates in the Montgomery- form elliptic curve from 
the scalar value d and the point P on the Montgomery- 
form elliptic curve. The scalar value d and the point 

20 P on the Montgomery- form elliptic curve are inputted 
into the scalar multiplication unit 103, and received 
by the scalar multiplication unit 202. The fast scalar 
multiplication unit 202 calculates X^i and in the 
coordinate of the scalar-multiplied point dP= (X^, Y^, Z^) 

25 represented by the projective coordinates in the 

Montgomery-form elliptic curve, and X^+i and Z^+^ in the 
coordinate of the point (d+1 ) P= (X^+i/ Y^+i, Z^+i) on the 
Montgomery-form elliptic curve represented by the 
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projective coordinates from the received scalar value d 
and the given point P on the Montgomery- form elliptic 
curve. The information is given to the coordinate 
recovering unit 203 together with the inputted point 
5 P=(x,y) on the Montgomery-form elliptic curve 

represented by the affine coordinates. The coordinate 
recovering unit 203 recovers coordinate X^, Y^/ and of 
the scalar-multiplied point dP= (X^, Y^, Z^) represented by 
the projective coordinates in the Montgomery-form 

10 elliptic curve from the given coordinate values X^, Z^, 
^d+if Zd+i, X, and y. The scalar multiplication unit 103 
outputs the scalar-multiplied point (X^^Y^^Z^) with the 
coordinate completely given thereto in the projective 
coordinates as the calculation result. 

15 A processing of the coordinate recovering 

unit which outputs X^, Y^, Z^ from the given coordinates 
X, y, X^, Zd/ Xrf+i/ Zd+i will next be described with refer- 
ence to FIG- 35. 

The coordinate recovering unit 203 inputs X^ 

20 and Z^ in the coordinate of the scalar-multiplied point 
dP= (X^i, Y^^, Zd) represented by the projective coordinates 
in the Montgomery- form elliptic curve, X^+i and Z^^.^ in 
the coordinate of the point (d+1 ) P= (X^+i, Y^^^, Z^^J on the 
Montgomery- form elliptic curve represented by the 

25 projective coordinates, and {x,y) as representation of 
the point P on Montgomery-form elliptic curve inputted 
into the scalar multiplication unit 103 in the affine 
coordinates, and outputs the scalar-multiplied point 
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(^d/YdfZd) with the complete coordinate given thereto in 
the projective coordinates in the following procedure. 
Here, the affine coordinate of the inputted point P on 
the Montgomery- form elliptic curve is represented by 
5 (x,y), and the projective coordinate thereof is 

represented by (Xi^Yi^zJ. Assuming that the inputted 
scalar value is d, the affine coordinate of the scalar- 
multiplied point dP in the Montgomery- form elliptic 
curve is represented by (x^^y^), and the projective 

10 coordinate thereof is represented by (X^fY^^Z^) . The 
affine coordinate of the point (d+l)P on the 
Montgomery- form elliptic curve is represented by 
(^d+i/ Yd+i) ^ snd the projective coordinate thereof is 
represented by (X^^i, Y^.i, Z^+J . 

15 In step 3501, xxZ^ is calculated and stored in 

the register T^. In step 3502 X^+T^ is calculated. 
Here, xZ^' is stored in the register T^, and therefore 
xZd+Xd is calculated. The result is stored in the 
register T2. In step 3503 X^-T^ is calculated, here the 

20 register T^ stores xZ^, and therefore xZ^-X^ is calcu- 
lated. The result is stored in the register T3. In 
step 3504 a square of the register T3 is calculated. 
Here, xZ^-X^ is stored in the register T3, and therefore 
(Xrf-xZd)^ is calculated. The result is stored in the 

25 register T3. In step 3505 T^xX^^^ is calculated. Here, 
(Xd-xZd)^ is stored in the register T3, and therefore 
Xd+i (X^-xZd) ^ is calculated. The result is stored in the 
. register T3. In step 3506 2AxZd is calculated, and 
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stored in the register T^. In step 3507 T2+T1 is 
calculated. Here, xZ^+X^ is stored in the register T2, 
2AZ^ is stored in the register T^, and therefore 
xZd+Xd+2AZ^ is calculated. The result is stored in the 
5 register T2 . In step 3508 xxX^ is calculated and stored 
in the register T^. In step 3509 T^-hZ^ is calculated. 
Here, the register T4 stores xX^, and therefore xX^+Z^ is 
calculated. The result is stored in the register T4. 
In step 3510 T2XT4 is calculated. Here T2 stores 

10 xZd+Xd+2AZd, the register T^ stores xX^+Z^, and therefore 
(xZd+Xd+2AZd) (xXd+Zd) is calculated. The result is 
stored in the register T2 . In step 3511 T^xZ^ is calcu- 
lated. Here, since the register T^ stores 2AZ^, 2AZ/ is 
calculated. The result is stored in the register T;^- 

15 In step 3512 T2-T1 is calculated. Here 

(xZd+Xd+2AZd) (xX^+Zd) is stored in the register T2, 2A.Z^^ 
is stored in the register Ti, and therefore 
(xZd+Xd4-2AZd) (xX^+Z^) -2AZ/ is calculated. The result is 
stored in the register T2 . In step 3513 T2xZd+i is 

20 calculated. Here (xZd+Xd+2AZd) (xX^+Z^) -2AZ/ is stored in 
the register T2, and therefore Z^+i ( (xZd+Xd+2AZd) (xX^+Z^^) - 
2AZ/) is calculated. The result is stored in the 
register T2 . In step 3514 T2-T3 is calculated. Here 
Zd+i ( (xZd+Xd+2AZd) (xX^+Zd) -2AZ/) is stored in the register 

25 T2, Xd+i (Xd-xZ^) ^ is stored in the register T3, and 

therefore Z^.^ ( (xZ^+X^+2AZ J (xX^+Z J -2AZ/) -X^,, (X^-xZ J ' is 
calculated. The result is stored in the register Y^. 
In step 3515 2Bxy is calculated, and stored in the 
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register T^, In step 3516 T^xZ^ is calculated. Here, 
Since 2By is stored in the register T^, 2ByZd is 
calculated. The result is stored in the register T^. 
In step 3417 T^xZ^+i is calculated. Here, since the 
5 register stores 2ByZd, ^ByZ^Zd+i is calculated. The 
result is stored in the register Ti. In step 3518 T^xX^ 
is calculated. Here, since the register T^ stores 
2ByZdZd^-i, 2ByZdZ^^iX^ is calculated. The result is stored 
in the register X^. In step 3519 T^xZ^ is calculated. 

10 Here, since the register T^ stores 2ByZdZd+i, 2ByZdZd+iZd is 
calculated. The result is stored in the register Z^. 
Since 2ByZdZd^iXd is stored in X^ in the step 3518, and is 
not updated thereafter, the value is held. Since 
2d+i( (xZ^+Xd+2AZJ (xXd+Zd)-2AZ/)-Xd,i(Xd-xZ^)' is stored in 

15 Yd, and is not updated thereafter, the value is held. 

A reason why all the values in the projective 
coordinate {X^,Y^,Z^) of the scalar-multiplied point are 
recovered from x, y, X^, Z^, X^^^, Z^+i by the afore- 
mentioned procedure is as follows. Additionally, the 

20 point (d+l)P is a point obtained by adding the point P 
to the point dP. The assignment to the addition 
formulae in the affine coordinates of the Montgomery- 
form elliptic curve results in Equation 6. Since the 
points P and dP are points on the Montgomery- form 

25 elliptic curve, By/=Xd^+Ax/+Xd and By^=x^+Ax^+x are 

satisfied. When the value is assigned to Equation 6, 
By^^ and By^ are deleted, and the equation is arranged. 
Equation 64 is obtained. Here, x^=-X^/Z^, x^^i^Xd+i/Z^^i . 



197 

The value is assigned and thereby converted to the 
value of the projective coordinate. Then, the Equation 
65 is obtained. Although k^=XJz^, the reduction to the 
denominator common with that of is performed for the 
5 purpose of reducing the frequency of inversion, and 
Equation 66 results. As a result, the following 
equation is obtained. 

Y, = Z,^, [(X, + xZ, + 2AZ, )(X,x + Z, ) - 2AZ', ]-(X,- xZ, X,,, 
. . . Equation 67 

10 Here, X^, may be updated by the following equations. 

2ByZ,Z,,,X, 

. . . Equation 68 

2ByZ,Z,,,X, 

. - • Equation 69 

15 Here, X^, Y^, are given by the processing of FIG. 35. 

Therefore, all the values of the projective coordinate 

(Xd,Yd/Zd) are recovered. 

For the aforementioned procedure, in the 

steps 3501, 3505, 3506, 3508, 3510, 3511, 3513, 3515, 
20 3516, 3517, 3518, and 3519, the computational amount of 

multiplication on the finite field is required. 

Moreover, the computational amount of squaring on the 

finite field is required in the step 3504. The 

computational amounts of addition and subtraction on 
25 the finite field are relatively small as compared with 

the computational amounts of multiplication and squar- 
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ing on the finite field, and may therefore be ignored. 
Assuming that the computational amount of multiplica- 
tion on the finite field is M, and the computational 
amount of squaring on the finite field is S, the above 
5 procedure requires a computational amount of 12M+S. 
This is far small as compared with the computational 
amount of the fast scalar multiplication. For example, 
when the scalar value d indicates 160 bits, the 
computational amount of the fast scalar multiplication 

10 is estimated to be a little less than about 1500 M. 

Assuming S=0. 8 M, the computational amount of coordi- 
nate recovering is 12.8 M, and far small as compared 
with the computational amount of the fast scalar 
multiplication. Therefore, it is indicated that the 

15 coordinate can efficiently be recovered. 

Additionally, even when the above procedure 
is not taken, but if the values of X^, Y^, given by 
the above equation can be calculated, the values of X^, 
Yd, Zd can be recovered. Moreover, the values of X^, Y^, 

20 Zd are selected so that x^, yd take the values given by 
the aforementioned equations, the values can be calcu- 
lated, and then X^, Y^, can be recovered. In this 
case, the computational amount required for recovering 
generally increases. Furthermore, when the value of A 

25 or B as the parameter of the elliptic curve is set to 

be small, the computational amount of multiplication in 
the step 3506 or 3515 can be reduced. 

An algorithm for outputting X^, Z^, X^+i, Z^+i 
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from the scalar value d and the point P on the 
Montgomery- form elliptic curve will next be described. 

As the fast scalar multiplication method of 
the scalar multiplication unit 202 of the fifteenth 
5 embodiment, the fast scalar multiplication method of 
the first embodiment is used. Thereby, as the 
algorithm which outputs X^, Z^, X^+i, Z^+i from the scalar 
value d and the point P on the Montgomery- form elliptic 
curve, the fast algorithm can be achieved. Addition- 

10 ally, instead of using the aforementioned algorithm in 
the scalar multiplication unit 202, any algorithm may 
be used as long as the algorithm outputs X^, Z^, X^+i, Zd+; 
from the scalar value d and the point P on the 
Montgomery-form elliptic curve at high speed. 

15 The computational amount required for 

recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
12M+S, and this is far small as compared with the 
computational amount of (9.2k-4.6)M necessary for fast 

20 scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 
computational amount necessary for the fast scalar 

25 multiplication of the fast scalar multiplication unit. 
Assuming that S=0,8 M, the computational amount can be 
estimated to be about (9.2k+8)M. For example, when the 
scalar value d indicates 160 bits (k=160) , the computa- 



200 

tional amount necessary for the scalar multiplication 
is 1480 M. The Weierstrass-f orm elliptic curve is used 
as the elliptic curve, the scalar multiplication method 
is used in which the window method and the mixed 
5 coordinates mainly including the Jacobian coordinates 
are used, and the scalar-multiplied point is outputted 
as the Jacobian coordinates. In this case, the 
required computational amount is about 1600 M, and as 
compared with this, the required computational amount 

10 is reduced. 

In a sixteenth embodiment, the scalar 
multiplication unit 103 calculates and outputs the 
scalar-multiplied point (x^, y^) with the complete 
coordinate given thereto as the point of the affine 

15 coordinates in the Montgomery-form elliptic curve from 
the scalar value d and the point P on the Montgomery- 
form elliptic curve. The scalar value d and the point 
P on the Montgomery-form elliptic curve are inputted 
into the scalar multiplication unit 103, and received 

20 by the scalar multiplication unit 202. The fast scalar 
multiplication unit 202 calculates x^ in the coordinate 
of the scalar-multiplied point dP==(Xd,yd) represented by 
the affine coordinates in the Montgomery-form elliptic 
curve, and x^+i in the coordinate of the point {dH-l)P= 

25 (Xd+i,ycn-i) on the Montgomery- form elliptic curve 

represented by the affine coordinates from the received 
scalar value d and the given point P on the Montgomery- 
form elliptic curve. The information is given to the 
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coordinate recovering unit 203 together with the 
inputted point P=(x,y) on the Montgomery- form elliptic 
curve represented by the affine coordinates. The 
coordinate recovering unit 203 recovers coordinate y^ of 
the scalar-multiplied point dP-(Xd,yJ represented by 
the affine coordinates in the Montgomery- form elliptic 
curve from the given coordinate values x^, x^+i, x, and 
^y. The scalar multiplication unit 103 outputs the 
scalar-multiplied point (x^,y^) with the coordinate 
completely given thereto in the affine coordinates as 
the calculation result. 

A processing of the coordinate recovering 
unit which outputs x^, y^ from the given coordinates x, 
y, x^, x^+i will next be described with reference to FIG. 
36. 

The coordinate recovering unit 2 03 inputs x^ 
in the coordinate of the scalar-multiplied point 
dP=(Xd,yd) represented by the affine coordinates in the 
Montgomery-form elliptic curve, x^^^ in the coordinate of 
the point on the Montgomery-form elliptic curve {d+l)P= 
(^d+i/Yd+i) represented by the affine coordinates, and 
(x,y) as representation of the point P on the 
Montgomery- form elliptic curve in the affine coordi- 
nates inputted into the scalar multiplication unit 103, 
and outputs the scalar-multiplied point (Xd,yd) with the 
complete coordinate given thereto in the affine coordi- 
nates in the following procedure. 

In step 3601 x^xx is calculated, and stored in 
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the register T^, In step 3602 T^+l is calculated. 
Here, since x^x is stored in the register T^, x^x+l is 
calculated. The result is stored in the register Ti. 
In step 3603 x^+x is calculated, and stored in the 
5 register T2 . In step 3604 T2+2A is calculated. Here, 
since x^+x is stored in the register T2, Xd+x+2A is 
calculated. The result is stored in the register Tg. 
In step 3605 T^xTs is calculated. Here, since x^x+l is 
stored in the register T^, and Xd+x+2A is stored in the 

10 register T2, (x^x+l) (Xd-hx+2A) is calculated. The result 
is stored in the register T^ . In step 3606 Ti-2A is 
calculated. Here, since (x^iX+l) (Xd+x+2A) is stored in 
the register T^, (x^x+l) {Xd+x+2A) -2A is calculated. The 
result is stored in the register T-l . In step 3607 x^-x 

15 is calculated, and stored in the register T2 . In step 
3608 a square of T2 is calculated. Here, since x^-x is 
stored in the register T2, (x^-x)^ is calculated. The 
result is stored in the register T2. In step 3609 T^y^x^^ 
is calculated. Here, since (x^-x)^ is stored in the 

20 register T2, (Xd-x)^Xd+i is calculated. The result is 
stored in the register T2. In step 3610 T1-T2 is 
calculated. Here, since (x^x+l) (Xd+x+2A)-2A is stored 
in the register and (k^-k)^x^^j^ is stored in the 
register Tg, (x^x+l ) (Xd+x+2A) -2A- (x^-x) ^x^+i is calculated, 

25 The result is stored in the register T^. In step 3611, 
2Bxy is calculated, and stored in the register T2. In 
step 3612 the inverse element of T2 is calculated. 
Here, since 2By is stored in the register T2, l/2By is 
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calculated. The result is stored in the register T2. 
In step 3613 T1XT2 is calculated. Here, since 
(x^x+l) (Xd+x+2A) -2A-- (Xd-x) ^Xd+i is stored in the register 
Ti and l/2By is stored in the register T2, 
5 (x^x+l) (Xd+x+2A) -2A- (x^-x) ^Xd+i/2By is calculated. The 
result is stored in the register y^. Therefore, 
(x^x+l) (Xd+x+2A) -2A- (x^-x) ^Xd+i/2By is stored in the 
register y^. Since the x^^ is not updated, the inputted 
value is held. 

10 A reason why the y-coordinate y^ of the 

scalar-multiplied point is recovered by the afore- 
mentioned procedure is as follows. The point (d+l)P is 
obtained by adding the point P to the point (d+l)P. 
The assignment to the addition formulae in the affine 

15 coordinates of the Montgomery- form elliptic curve 

results in Equation 6. Since the points P and dP are 
points on the Montgomery-form elliptic curve, 
Byd^=Xd^+Ax/+Xd and By^=x^+Ax^+x are satisfied. When the 
value is assigned to Equation 6, By/ and By^ are 

20 deleted, and the equation is arranged. Equation 64 is 
obtained. Here, x^, yd are given by the processing of 
FIG- 36. Therefore, all the values of the affine 
coordinate {k^, y^) are recovered. 

For the aforementioned procedure, in the 

25 steps 3601, 3605, 3609, 3611, and 3613, the computa- 
tional amount of multiplication on the finite field is 
required. Moreover, the computational amount of 
'squaring on the finite field is required in the step 
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3608. Furthermore, the computational amount of the 
inversion on the finite field is required in the step 
3612. The computational amounts of addition and 
subtraction on the finite field are relatively small as 
5 compared with the computational amounts of multipli- 
cation, squaring, and inversion on the finite field, 
and may therefore be ignored. Assuming that the 
computational amount of multiplication on the finite 
field is M, the computational amount of squaring on the 

10 finite field is S, and the computational amount of 

inversion on the finite field is I, the above procedure 
requires a computational amount of 5M+S+I. This is far 
small as compared with the computational amount of the 
fast scalar multiplication. For example, when the 

15 scalar value d indicates 160 bits, the computational 
amount of the fast scalar multiplication is estimated 
to be a little less than about 1500 M. Assuming S=0.8 
M, 1=4 0 M, the computational amount of coordinate 
recovering is 45.8 M, and far small as compared with 

20 the computational amount of the fast scalar multipli- 
cation. Therefore, it is indicated that the coordinate 
can efficiently be recovered. 

Additionally, even when the above procedure 
is not taken, but if the values of the right side of 

25 the equation can be calculated, the value of y^ can be 
recovered. In this case, the computational amount 
required for recovering generally increases. Further- 
more, when the value of B as the parameter of the 
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elliptic curve is set to be small, the computational 
amount of multiplication in the step 2 605 can be 
reduced. 

A processing of the fast scalar multipli- 
5 cation unit for outputting x^, k^i+i from the scalar value 
d and the point P on the Montgomery-f orm elliptic curve 
will next be described with reference to FIG. 43. 

The fast scalar multiplication unit 202 
inputs the point P on the Montgomery- form elliptic 

10 curve inputted into the scalar multiplication unit 103, 
and outputs x^ in the scalar-multiplied point dP=(Xd, yc) 
represented by the affine coordinate in the Montgomery- 
form elliptic curve, and x^^^ in the point (d+l)P= 
(^d+i/Yd+i) the Montgomery-form elliptic curve 

15 represented by the affine coordinate by the following 
procedure. In step 4301, the initial value 1 is 
assigned to the variable I. The doubled point 2P of 
the point P is calculated in step 4302. Here, the 
point P is represented as (x,y, 1) in the projective 

20 coordinate, and the formula of doubling in the projec- 
tive coordinate of the Montgomery- form elliptic curve 
is used to calculate the doubled point 2P. In step 
4303, the point P on the elliptic curve inputted into 
the scalar multiplication unit 103 and the point 2P 

25 obtained in the step 4302 are stored as a set of points 
(P,2P). Here, the points P and 2P are represented by 
the projective coordinate. It is judged in step 4304 
whether or not the variable I agrees with the bit 
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length of the scalar value d. With agreement, the flow 
goes to step 4315. With disagreement, the flow goes to 
step 4305. The variable I is increased by 1 in the 
step 4305. It is judged in step 4306 whether the value 
5 of the I-th bit of the scalar value is 0 or 1. When 
the value of the bit is 0, the flow goes to the step 
4307. When the value of the bit is 1, the flow goes to 
step 4310. In step 4307, addition mP+(m+l)P of points 
mP and (m+l)P is performed from the set of points 

10 (mP, (m+l)P) represented by the projective coordinate, 
and the point (2m+l)P is calculated- Thereafter, the 
flow goes to step 4308. Here, the addition mP+(m+l)P 
is calculated using the addition formula in the 
projective coordinate of the Montgomery- form elliptic 

15 curve. In step 4308, doubling 2 (mP) of the point mP is 
performed from the set of points (mP, (m+l)P) 
represented by the projective coordinate, and the point 
2mP is calculated. Thereafter, the flow goes to step 
4309. Here, the doubling 2 (mP) is calculated using the 

20 formula of doubling in the projective coordinate of the 
Montgomery- form elliptic curve. In the step 4309, the 
point 2mP obtained in the step 4308 and the point 
(2m+l)P obtained in the step 4307 are stored as the set 
of points (2mP, (2m4-l)P) instead of the set of points 

25 (mP, (m+l)P). Thereafter, the flow returns to the step 
4304. Here, the points 2mP, (2m+l)P, mP, and (m+l)P 
are all represented in the projective coordinates. In 
step 4310, addition mP+(m+l)P of the points mP, (m+l)P 
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is performed from the set of points (mP, (m+l)P) 
represented by the projective coordinates, and the 
point (2m+l)P is calculated. Thereafter, the flow goes 
to step 4311. Here, the addition mP+(m+l)P is calcu- 
5 lated using the addition formula in the projective 

coordinates of the Montgomery- form elliptic curve. In 
the step 4311, doubling 2((m+l)P) of the point (m+l)P 
is performed from the set of points (mP, (m+l)P) 
represented by the projective coordinates, and the 

10 point (2m+2)P is calculated. Thereafter, the flow goes 
to step 4312. Here, the doubling 2{(m+l)P) is calcu- 
lated using the formula of doubling in the projective 
coordinates of the Montgomery- form elliptic curve. In 
the step 4312, the point (2m+l)P obtained in the step 

15 4310 and the point {2m+2)P obtained in the step 4311 
are stored as the set of points ( (2m+l) P, (2m+2) P) 
instead of the set of points (mP, (m+l)P). Thereafter, 
the flow returns to the step 4304. Here, the points 
(2m+l)P, (2m+2)P, mP, and (m+l)P are all represented in 

20 the projective coordinates. In step 4315, X^^ and as 
Xd and Zd from the point mP= (X^, Y^, Z^) represented by the 
projective coordinates and X^^+i and Z^^^ as X^+i and Z^+i 
from the point (m+1 ) P= (X^^^, Y^+i, Z^+J represented by the 
projective coordinates are obtained. Here, Y^^ and Y^+^ 

25 are not obtained, because Y-coordinate cannot be 

obtained by the addition and doubling formulae in the 
projective coordinates of the Montgomery- form elliptic 
curve. From X^, Z^, X^+i and Z^+i, x^^XdZd+i/ZdZd+i and 
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Xd+i=ZdXd+i/ZdZd+i are set, and x^/ Xc+i are obtained. 
Thereafter, the flow goes to step 4313. In the step 
4313, x^, Xd+i are outputted. In the above procedure, m 
and scalar value d are equal in the bit length and bit 
5 pattern, and are therefore equal. 

The computational amount of the addition 
formula in the projective coordinates of the 
Montgomery-form elliptic curve is 3M+2S with Zi=l . 
Here, M is the computational amount of multiplication 

10 on the finite field, and S is the computational amount 
of squaring on the finite field. The computational 
amount of the doubling formula in the projective 
coordinates of the Montgomery- form elliptic curve is 
3M+2S. When the value of the I-th bit of the scalar 

15 value is 0, the computational amount of addition in the 
step 4307, and the computational amount of doubling in 
the step 4308 are required. That is, the computational 
amount of 6M+4S is required. When the value of the I- 
th bit of the scalar value is 1, the computational 

20 amount of addition in the step 4310, and the computa- 
tional amount of doubling in the step 4311 are 
required. That is, the computational amount of 6M+4S 
is required. In any case, the computational amount of 
6M+4S is required. The number of repetitions of the 

25 steps 4304, 4305, 4306, 4307, 4308, 4309, or the steps 
4304, 4305, 4306, 4310, 4311, 4312 is (bit length of 
the scalar value d)-l. Therefore, in consideration of 
the computational amount of doubling in the step 4 3 02, 
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and the computational amount of the transform to the 
affine coordinates, the entire computational amount is 
(6M+4S) k+2M-2S+I - Here, k is the bit length of the 
scalar value d. In general, since the computational 
5 amount S is estimated to be of the order of S=0 . 8 M, 
and the computational amount I is estimated to be of 
the order of 1=40 M, the entire computational amount is 
approximately (9 . 2k+40 . 4)M. For example, when the 
scalar value d indicates 160 bits (k=160) , the 

10 computational amount of algorithm of the aforementioned 
procedure is about 1512 M. The computational amount 
per bit of the scalar value d is about 9.2 M. In A. 
Miyaji, T. Ono, H. Cohen, Efficient elliptic curve 
exponentiation using mixed coordinates. Advances in 

15 Cryptology Proceedings of ASIACRYPT' 98 , LNCS 1514 

(1998) pp. 51-65, the scalar multiplication method using 
the window method and mixed coordinates mainly includ- 
ing Jacobian coordinates in the Weierstrass-f orm 
elliptic curve is described as the fast scalar 

20 multiplication method. In this case, the computational 
amount per bit of the scalar value is estimated to be 
about 10 M. Additionally, the computational amount of 
the transform to the affine coordinates is required. 
For example, when the scalar value d indicates 160 bits 

25 (k=160), the computational amount of the scalar multi- 
plication method is about 1640 M. Therefore, the 
algorithm of the aforementioned procedure can be said 
to have a small computational amount and high speed. 
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Additionally, instead of using the afore- 
mentioned algorithm in the scalar multiplication unit 
202, any algorithm may be used as long as the algorithm 
outputs Xd, Xd+i from the scalar value d and the point P 
5 on the Montgomery- form elliptic curve at high speed. 

The computational amount required for 
recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
5M+S+I, and this is far small as compared with the 

10 computational amount of (9.2k+40.4)M necessary for fast 
scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 

15 computational amount necessary for the fast scalar 

multiplication of the fast scalar multiplication unit. 
Assuming that S=0.8 M, 1=40 M, the computational amount 
can be estimated to be about ( 9 . 2k+8 6 . 2 ) M. For 
example, when the scalar value d indicates 160 bits 

20 {k=160) , the computational amount necessary for the 

scalar multiplication is 1558 M. The Weierstrass-f orm 
elliptic curve is used as the elliptic curve, the 
scalar multiplication method is used in which the 
window method and the mixed coordinates mainly includ- 

25 ing the Jacobian coordinates are used, and the scalar- 
multiplied point is outputted as the affine coordi- 
nates. In this case, the required computational amount 
is about 164 0 M, and as compared with this, the 
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required computational amount is reduced. 

In a seventeenth embodiment, the Weierstrass- 
f orm elliptic curve is used as the elliptic curve • 
That is, the elliptic curve for use in input/output of 
5 the scalar multiplication unit 103 is Weierstrass-f orm 
elliptic curve. Additionally, as the elliptic curve 
for use in the internal calculation of the scalar 
multiplication unit 103, the Montgomery- form elliptic 
curve which can be transformed from the Weierstrass- 

10 form elliptic curve may be used. The scalar multipli- 
cation unit 103 calculates and outputs the scalar- 
multiplied point (Xdf yd) with the complete coordinate 
given thereto as the point of the affine coordinates in 
the Weierstrass-f orm elliptic curve from the scalar 

15 value d and the point P on the Weierstrass-f orm 

elliptic curve. The scalar value d and the point P on 
the Weierstrass-form elliptic curve are inputted into 
the scalar multiplication unit 103, and received by the 
scalar multiplication unit 202, The fast scalar 

20 multiplication unit 202 calculates and in the 

coordinate of the scalar-multiplied point dP= (X^, Y^/ Z^,) 
represented by the projective coordinates in the 
Weierstrass-form elliptic curve, and X^^^ and Z^+i in the 
coordinate of the point (d+1 ) P= (X^+i, Y^+i, Z^+i) on the 

25 Weierstrass-form elliptic curve represented by the 

projective coordinates from the received scalar value d 
and the given point P on the Weierstrass-form elliptic 
curve. The information is given to the coordinate 
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recovering unit 203 together with the inputted point 
P=(x,y) on the Weierstrass-f orm elliptic curve 
represented by the affine coordinates. The coordinate 
recovering unit 2 03 recovers coordinate x^, and of 
5 the scalar-multiplied point dP= (x^, y^) represented by 
the affine coordinates in the Weierstrass-f orm elliptic 
curve from the given coordinate values X^, Z^/ X^+i/ ^d+if 
X, and y. The scalar multiplication unit 103 outputs 
the scalar-multiplied point (Xd/yd) with the coordinate 

10 completely given thereto in the affine coordinates as 
the calculation result. 

A processing of the coordinate recovering 
unit which outputs x^, y^ from the given coordinates x, 
y, X^, Z^, >^d+i/ ^d+i will next be described with reference 

15 to FIG. 37. 

The coordinate recovering unit 2 03 inputs X^ 
and Zd in the coordinate of the scalar-multiplied point 
dP= (X^, Y^, Z^) represented by the projective coordinates 
in the Weierstrass-f orm elliptic curve, X^^^^ and Z^+i in 

20 the coordinate of the point (d+1 ) P= (X^+i, Y^+i, Z^+i) on the 
Weierstrass-f orm elliptic curve represented by the 
projective coordinates, and (x,y) as representation of 
the point P on Weierstrass-f orm elliptic curve inputted 
into the scalar multiplication unit 103 in the affine 

25 coordinates, and outputs the scalar-multiplied point 
(^d/Yd) with the complete coordinate given thereto in 
the affine coordinates in the following procedure. 
Here, the affine coordinate of the inputted point P on 
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the Weierstrass-f orm elliptic curve is represented by 
(x,y), and the projective coordinate thereof is 
represented by (Xi.Y^^Zi). Assuming that the inputted 
scalar value is d, the affine coordinate of the scalar- 
5 multiplied point dP in the Montgomery-form elliptic 
curve is represented by (^df Yd) f ^^ici the projective 
coordinate thereof is represented by (X^/Yd/Zd). The 
affine coordinate of the point (d+l)P on the 
Weierstrass-f orm elliptic curve is represented by 

10 (Xd+i,yd+i)/ and the projective coordinate thereof is 
represented by (X^+i, Y^+i, Z^+J . 

In step 3701;. xxZ^, is calculated and stored in 
the register T^. In step 3702 X^+T^ is calculated. 
Here, xZ^ is stored in the register T^, and therefore 

15 xZd+Xd is calculated. The result is stored in the 

register T2 - In step 3703 X^-T^ is calculated, here the 
register T^ stores xZ^/ and therefore xZ^-X^ is calcu- 
lated. The result is stored in the register T3. In 
step 3704 a square of the register T3 is calculated. 

20 Here, since xZ^-X^ is stored in the register T3, (X^-xZ^)^ 
is calculated. The result is stored in the register T3. 
In step 3705 T3xXd+i is calculated. Here, since (X^-xZ^)^ 
is stored in the register T3, X^+i (X^-xZ^) ^ is calculated. 
The result is stored in the register T3. In step 3706 

25 xxXd is calculated, and stored in the register Ti. In 

step 3707 axZ^ is calculated, and stored in the register 
T4. In step 3708 T1+T4 is calculated. Here, since xX^ 
is stored in the register T^, and aZ^ is stored in the 
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register T4, xX^+aZ^i is calculated. The result is stored 
in the register T^. In step 3709 T^xT2 is calculated. 
Here, since the register Ti stores xX^+aZ^/ and xZ^i+X^ is 
stored in the register T2, (xX^+aZ^) (xZ^+X^) is calcu- 
5 lated. The result is stored in the register T^. In 
step 3710 a square of Z^ is calculated, and stored in 
the register T2 - In step 3711 T2x2b is calculated. 
Here, since the register T2 stores Z^^, 2bZ/ is calcu- 
lated. The result is stored in the register T2. In 

10 step 3712 T14-T2 is calculated. Here, since 

(xXd+aZd) (xZ^+Xd) is stored in the register T^ and 2bZd^ 
is stored in the register T2, (xX^+aZ^) (xZ^+X^) +2bZ/ is 
calculated. The result is stored in the register T^. 
In step 3713 T^^xZ^^^ is calculated. Here, since 

15 (xXd+aZd) (xZd+Xd) +2bZ/ is stored in the register T^, 

Zd+i { (xXj+aZ^) (xZd+X^) +2bZd^) is calculated. The result is 
stored in the register T^. In step 3714 T1-T3 is 
calculated. Here, since Z^+i ( (xXd+aZ^) (xZ^+X^) +2bZ/) is 
stored in the register T^ and X^^^ (X^-xZ^) ^ is stored in 

20 the register T3, Z^^^ ( (xX^+aZJ (xZ^+X^) +2bZ/) -X^^i (X^-xZ^) ' 
is calculated, and the result is stored in the register 
Ti- In step 3715 2yxZd is calculated, and stored in the 
register T2 . In step 3716 TsXZ^+i is calculated. Here, 
since the register T2 stores 2yZd, 2yZdZd+i is calculated, 

25 and the result is stored in the register Tg. In step 

3717 TjXZd is calculated. Here, since 2yZdZd+i is stored 
in the register T2, 2yZdZd^iZd is calculated, and the 
result is stored in the register T3. In step 3718, the 



inverse element of the register T3 is calculated- Here, 
since the register T3 stores 2^7s^Z^^^Z^ is stored, 
l/2yZdZd+iZd is calculated, and the result is stored in 
the register T3. In step 3719 T1XT3 is calculated. 
5 Here, since the register stores Z^+i ( (xX^+aZ^) (xZ^+X^) + 
2bZd^) -Xd+i (Xd-xZd) ^ and the register T3 stores l/2yZdZd+iZ^, 
Zd+i( (xXd+aZd) {xZd+XJ+2bZ/)-Xd,i(Xd-xZJ V2yZdZ^,,Zd is 
calculated, and the result is stored in the register y^. 
In step 3720 T2xXd is calculated- Here, since the 

10 register T2 stores 2yZdZd+i, 2yZdZd+iXd is calculated, and 
the result is stored in the register T2. In step 3721 
T2XT3 is calculated. Here, since T2 stores 2^Z^^^^^ and 
the register T3 stores l/2yZdZd4.iZd/ 2yZdZd+iXd/2yZdZd+iZd is 
calculated, and the result is stored in the register x^. 

15 Therefore, the register x^ stores 2yZdZd+iXd/2yZdZd+iZd. In 
the step 3719 since Z^+i ( (xXd+aZJ (xZ^+XJ +2bZd') -x^^, (X^- 
xZd) ^/2yZdZd+iZd is stored in the register y^, and is not 
updated thereafter, the value is held. 

A reason why all the values in the affine 

20 coordinate (Xd,yci) of the scalar-multiplied point in the 
Weierstrass-f orm elliptic curve are recovered from the 
given x, y, X^, Z^, X^+i, Z^+i by the aforementioned 
procedure is as follows. Additionally, the point 
(d+l)P is a point obtained by adding the point P to the 

25 point dP. The assignment to the addition formulae in 

the affine coordinates of the Weierstrass-f orm elliptic 
curve results in Equations 27. Since the points P and 
dP are points on the Weierstrass-f orm elliptic curve. 
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y/=XdVaXd+b and y^=x^+ax+b are satisfied. When the 
value is assigned to Equation 27, y/ and y^ are deleted, 
and the equation is arranged, the following equation is 
obtained. 

^ yci= k^,^ + ^X^d +x) + 2b- {X, - xf x^^, }/(2y) 

. . . Equation 70 

Here, x^=X^/Z^, ^d+i^^d+i/2d+i • The value is assigned and 
thereby converted to the value of the projective 
coordinate. Then, the following equation is obtained. 

10 y,= {z,^XiX,x + aZ,XX, -^xZ,)-2bzi)-{X, - xZ,y X,J/(2yZ,Z,^,Z,) 

. . . Equation 71 

Although Xd=Xd/Zd/ the reduction to the denominator 
coimnon with that of y^ is performed for the purpose of 
reducing the frequency of inversion, and the following 
15 equation results. 

. . . Equation 72 

Here, x^, y^ are given by the processing shown in FIG. 
37. Therefore, all the values of the affine coordinate 

20 (Xd/yd) are recovered. 

For the aforementioned procedure, in the 
steps 3701, 3705, 3706, 3707, 3709, 3710, 3711, 3713, 
3715, 3716, 3717, 3719, 3720, and 3721, the computa- 
tional amount of multiplication on the finite field is 

25 required- Moreover, the computational amount of 
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squaring on the finite field is required in the step 
3704. Furthermore, the computational amount of the 
inversion on the finite field is required in the step 
3718. The computational amounts of addition and 
5 subtraction on the finite field are relatively small as 
compared with the computational amounts of multiplica- 
tion, squaring, and inversion on the finite field, and 
may therefore be ignored. Assuming that the computa- 
tional amount of multiplication on the finite field is 

10 M, the computational amount of squaring on the finite 
field is S, and the computational amount of inversion 
on the finite field is I, the above procedure requires 
a computational amount of 14M+S+I. This is far small 
as compared with the computational amount of the fast 

15 scalar multiplication. For example, when the scalar 

value d indicates 160 bits, the computational amount of 
the fast scalar multiplication is estimated to be a 
little less than about 1500 M. Assuming S=0.8 M, 1=40 
M, the computational amount of coordinate recovering is 

20 54.8 M, and far small as compared with the computa- 
tional amount of the fast scalar multiplication. 
Therefore, it is indicated that the coordinate can 
efficiently be recovered. 

Additionally, even when the above procedure 

25 is not taken, but if the values of x^/ Yd can be 

calculated, the values of x^. Yd can be recovered. In 
this case, the computational amount required for 
recovering generally increases. 
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A processing of the fast scalar multiplica- 
tion unit for outputting X^j, Z^, ^d+i/ '^d+i from the scalar 
value d and the point P on the Weierstrass-f orm 
elliptic curve will next be described with reference to 
5 FIG. 44. 

The fast scalar multiplication unit 202 
inputs the point P on the Weierstrass-f orm elliptic 
curve inputted into the scalar multiplication unit 103, 
and outputs X^, and in the scalar-multiplied point 

10 dP— (Xd, Y^, Z^) represented by the projective coordinate in 
the Weierstrass-f orm elliptic curve, and X^+i and Z^+i in 
the point (d+1 ) P= (X^+i/ Y^+i/ Z^+i) on the Weierstrass-f orm 
elliptic curve represented by the projective coordinate 
by the following procedure. In step 4416, the given 

15 point P on the Weierstrass-f orm elliptic curve is 

transformed to the point represented by the projective 
coordinates on the Montgomery- form elliptic curve. 
This point is set anew to point P. In step 4401, the 
initial value 1 is assigned to the variable I. The 

20 doubled point 2P of the point P is calculated in step 
4402. Here, the point P is represented as (x,y, 1) in 
the projective coordinate, and the doubling formula in 
the projective coordinate of the Montgomery-form 
elliptic curve is used to calculate the doubled point 

25 2P. In step 4403, the point P on the elliptic curve 
inputted into the scalar multiplication unit 103 and 
the point 2P obtained in the step 4402 are stored as a 
set of points (P,2P). Here, the points P and 2P are 
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represented by the projective coordinate. It is judged 
in step 4404 whether or not the variable I agrees with 
the bit length of the scalar value d. With agreement, 
the flow goes to step 4415. With disagreement, the 
5 flow goes to step 4405. The variable I is increased by 
1 in the step 4405. It is judged in step 4406 whether 
the value of the I-th bit of the scalar value is 0 or 
1. When the value of the bit is 0, the flow goes to 
the step 4407. When the value of the bit is 1, the 

10 flow goes to step 4410. In step 4407, addition 

mP+(m+l)P of points mP and (m+l)P is performed from a 
set of points (mP, (m+l)P) represented by the projective 
coordinate, and the point (2m+l)P is calculated. 
Thereafter, the flow goes to step 4408. Here, the 

15 addition mP+(m+l)P is calculated using the addition 

formula in the projective coordinate of the Montgomery- 
form elliptic curve. In step 4408, doubling 2 (mP) of 
the point mP is performed from the set of points 
(mP, (m+l)P) represented by the projective coordinate, 

20 and the point 2mP is calculated. Thereafter, the flow 
goes to step 4409. Here, the doubling 2 (mP) is calcu- 
lated using the formula of doubling in the projective 
coordinate of the Montgomery- form elliptic curve. In 
the step 4409, the point 2mP obtained in the step 4408 

25 and the point (2m+l)P obtained in the step 4407 are 

stored as a set of points (2mP, (2m+l)P) instead of the 
set of points (mP, (m+l)P) . Thereafter, the flow 
returns to the step 4404. Here, the points 2mP, 
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(2m+l)P, mP, and (in+l)P are all represented in the 
projective coordinates. In step 4410, addition 
mP+(iti+l)P of the points mP, (m+l)P is performed from 
the set of points (mP, (m+l)P) represented by the 
5 projective coordinates, and the point (2m+l)P is 

calculated. Thereafter, the flow goes to step 4411. 
Here, the addition mP+(m+l)P is calculated using the 
addition formula in the projective coordinates of the 
Montgomery- form elliptic curve. In the step 4411, 

10 doubling 2((m4-l)P) of the point (m+l)P is performed 

from the set of points (mP, (m+l)P) represented by the 
projective coordinates, and the point (2m+2)P is 
calculated. Thereafter, the flow goes to step 4412. 
Here, the doubling 2((m+l)P) is calculated using the 

15 formula of doubling in the projective coordinates of 
the Montgomery- form elliptic curve. In the step 4412, 
the point (2m+l)P obtained in the step 4410 and the 
point (2m+2)P obtained in the step 4411 are stored as a 
set of points ((2m+l)P, (2m+2)P) instead of the set of 

20 points (mP, (m+l)P) . Thereafter, the flow returns to 

the step 4404. Here, the points {2m+l)P, (2m+2)P, mP, 
and (m+l)P are all represented in the projective 
coordinates. In step 4415, the point {m-l)P in the 
Montgomery- form elliptic curve is transformed to the 

25 point shown by the projective coordinates on the 

Weierstrass-f orm elliptic curve. The X-coordinate and 
Z-coordinate of the point are set anew to X^_^ and Z^_^. 
Moreover, with respect to the set of points (mP, (m+l)P) 
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represented by the projective coordinates in the 
Montgomery- form elliptic curve, the points mP and 

(m+l)P are transformed to the points represented by the 
projective coordinates on the Weierstrass-form- elliptic 
5 curve, and are set anew to mP= (X^, Y^, Z^^) and (m+l)P= 

(Xn^+i/Y^+i/2^+i) - Here, and Y^^^ are not obtained, 
because the Y-coordinate cannot be obtained by the 
addition and doubling formulae in the projective 
coordinates of the Montgomery- form elliptic curve. In 
10 step 4413, and are outputted as X^ and Z^ from the 
point mP= (X^, Y^, Zj^) represented by the projective 
coordinates on the Weierstrass-form elliptic curve, and 
Xj^+i and Zj^+i are outputted as X^+i and Z^+i from the point 

(m+1 ) P= (X^+^, Y^+i, Z^^J represented by the projective 
15 coordinates on the Weierstrass-form elliptic curve. In 
the above procedure, m and scalar value d are equal in 
the bit length and bit pattern, and are therefore 
equal . 

The computational amount of the addition 
20 formula in the projective coordinates of the 

Montgomery- form elliptic curve is 3M+2S with Zi=l . 
Here, M is the computational amount of multiplication 
on the finite field, and S is the computational amount 
of squaring on the finite field. The computational 
2 5 amount of the doubling formula in the projective 

coordinates of the Montgomery- form elliptic curve is 
3M4-2S. When the value of the I-th bit of the scalar 
value is 0, the computational amount of addition in the 
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step 4407, and the computational amount of doubling in 
the step 4408 are required. That is, the computational 
amount of 6MH-4S is required. When the value of the I- 
th bit of the scalar value is 1, the computational 
5 amount of addition in the step 4 410, and the computa- 
tional amount of doubling in the step 4411 are 
required. That is, the computational amount of 6M+4S 
is required. In any case, the computational amount of 
6M+4S is required. The number of repetitions of the 

10 steps 4404, 4405, 4406, 4407, 4408, 4409, or the steps 
4404, 4405, 4406, 4410, 4411, 4412 is (bit length of 
the scalar value d)-l. Therefore, in consideration of 
the computational amount of doubling in the step 4 4 02, 
the computational amount necessary for the transform to 

15 the point on the Montgomery- form elliptic curve in the 
step 4416, and the computational amount necessary for 
the transform to the point on the Weierstrass-f orm 
elliptic curve in the step 4415, the entire computa- 
tional amount is { 6M+4S ) k+2M-2S . Here, k is the bit 

20 length of the scalar value d. In general, since the 

computational amount S is estimated to be of the order 
of S=0.8 M, the entire computational amount is 
approximately (9.2k+0.4)M. For example, when the 
scalar value d indicates 160 bits (k=160) , the 

25 computational amount of algorithm of the aforementioned 
procedure is about 1472 M. The computational amount 
per bit of the scalar value d is about 9.2 M. In A. 
Miyaji, T. Ono, H. Cohen, Efficient elliptic curve 
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exponentiation using mixed coordinates. Advances in 
Cryptology Proceedings of ASIACRYPT' 98 , LNCS 1514 
(1998) pp. 51-65, the scalar multiplication method using 
the window method and mixed coordinates mainly includ- 
5 ing Jacobian coordinates in the Weierstrass-f orm 

elliptic curve is described as the fast scalar multi- 
plication method. In this case, the computational 
amount per bit of the scalar value is estimated to be 
about 10 M. For example, when the scalar value d 

10 indicates 160 bits (k=160) , the computational amount of 
the scalar multiplication method is about 1600 M. 
Therefore, the algorithm of the aforementioned 
procedure according to the present invention can be 
said to have a small computational amount and high 

15 speed. 

Additionally, instead of using the afore- 
mentioned algorithm in the fast scalar multiplication 
unit 202, another algorithm may be used as long as the 
algorithm outputs X^, Z^, X^^^, Z^+i from the scalar value 

20 d and the point P on the Weierstrass-f orm elliptic 
curve at high speed. 

The computational amount required for 
recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 

25 14M+S+I, and this is far small as compared with the 

computational amount of (9-2k+0.4)M necessary for fast 
scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
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necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 
computational amount necessary for the fast scalar 
multiplication of the fast scalar multiplication unit. 
5 Assuming 1=40 M, S=0.8 M, the computational amount can 
be estimated to be about ( 9 . 2k+55 . 2 ) M . For example, 
when the scalar value d indicates 160 bits (k=160) , the 
computational amount necessary for the scalar multipli- 
cation is about 1527 M. The Weierstrass-f orm elliptic 

10 curve is used as the elliptic curve, the scalar 

multiplication method is used in which the window 
method and the mixed coordinates mainly including the 
Jacobian coordinates are used, and the scalar- 
multiplied point is outputted as the affine coordi- 

15 nates. In this case, the required computational amount 
is about 1640 M, and as compared with this, the 
required computational amount is reduced. 

In a eighteenth embodiment, the Weierstrass- 
form elliptic curve is used as the elliptic curve. 

20 That is, the elliptic curve for use in input/output of 
the scalar multiplication unit 103 is Weierstrass-f orm 
elliptic curve. Additionally, as the elliptic curve 
for use in the internal calculation of the scalar 
multiplication unit 103, the Montgomery- form elliptic 

25 curve which can be transformed from the Weierstrass- 

form elliptic curve may be used. The scalar multipli- 
cation unit 103 calculates and outputs the scalar- 
multiplied point (Xd,Yd, Zd) with the complete coordinate 
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given thereto as the point of the projective coordi- 
nates in the Weierstrass-f orm elliptic curve from the 
scalar value d and the point P on the Weierstrass-f orm 
elliptic curve. The scalar value d and the point P on 
5 the Weierstrass-f orm elliptic curve are inputted into 
the scalar multiplication unit 103, and received by the 
scalar multiplication unit 202. The fast scalar 
multiplication unit 202 calculates and in the 
coordinate of the scalar-multiplied point dP= (X^, Y^, Z^) 

10 represented by the projective coordinates in the 

Weierstrass-f orm elliptic curve, and X^+^ and Z^+i in the 
coordinate of the point (d+1 ) P= (X^+i, Y^+i/ Z^+i) on the 
Weierstrass-f orm elliptic curve represented by the 
projective coordinates from the received scalar value d 

15 and the given point P on the Weierstrass-f orm elliptic 
curve. The information is given -to the coordinate 
recovering unit 203 together with the inputted point 
P=(x,y) on the Weierstrass-f orm elliptic curve 
represented by the affine coordinates. The coordinate 

20 recovering unit 203 recovers coordinate X^^j, Y^f and Z^ of 
the scalar-multiplied point dP= (X^, Y^, Z^) represented by 
the projective coordinates in the Weierstrass-f orm 
elliptic curve from the given coordinate values X^, Z^, 
^d+i/ Z^^.!, X, and y. The scalar multiplication unit 103 

25 outputs the scalar-multiplied point {X^fY^^Z^) with the 
coordinate completely given thereto in the projective 
coordinates as the calculation result. 

A processing of the coordinate recovering 
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unit which outputs X^, Y^, and from the given 
coordinates x, X^, Z^, X^+i/ Z^+i will next be described 
with reference to FIG. 38 . 

The coordinate recovering unit 203 inputs X^ 
5 and Z^ in the coordinate of the scalar-multiplied point 
dP= (Xd/ Zd) represented by the projective coordinates 
in the Weierstrass-f orm elliptic curve, X^+i and Z^+i in 
the coordinate of the point (d+1 ) P= (X^^.!, Y^^.!, Zj+i) on the 
Weierstrass-f orm elliptic curve represented by the 

10 projective coordinates, and (x,y) as representation of 
the point P on Weierstrass-f orm elliptic curve inputted 
into the scalar multiplication unit 103 in the affine 
coordinates, and outputs the scalar-multiplied point 
(Xd,Yd,Zd) with the complete coordinate given thereto in 

15 the projective coordinates in the following procedure. 
Here, the affine coordinate of the inputted point P on 
the Weierstrass-form elliptic curve is represented by 
(x,y), and the projective coordinate thereof is 
represented by (X^^Yi^Zi). Assuming that the inputted 

20 scalar value is d, the affine coordinate of the scalar- 
multiplied point dP in the Weierstrass-form elliptic 
curve is represented by (x^^yd)/ and the projective 
coordinate thereof is represented by (X^fY^,Z^). The 
affine coordinate of the point (d+l)P on the 

25 Weierstrass-form elliptic curve is represented by 
(Xd+i,yd+i)/ and the projective coordinate thereof is 
represented by (X^+i, Yd+i, Zd+i) . 

In step 3801, xxZd is calculated and stored in 
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the register T^. In step 3802 X^+T^^ is calculated. 
Here, xZ^ is stored in the register T^, and therefore 
xZd+Xd is calculated. The result is stored in the 
register T2. In step 3803 X^-Ti is calculated, here the 
5 register stores xZ^, and therefore xZ^-X^ is calcu- 
lated. The result is stored in the register T3. In 
step 3804 a square of the register T3 is calculated- 
Here, since xZ^-X^i is stored in the register T3, (X^i-xZci)^ 
is calculated. The result is stored in the register T3. 

10 In step 3805 T3xXd+i is calculated. Here, since (X^-xZ^)^ 
is stored in the register T3, X^+i (X^-xZ^) ^ is calculated. 
The result is stored in the register T3 . In step 3806 
xxXd is calculated, and stored in the register T^. In 
step 3807 axZ^ is calculated, and stored in the register 

15 T4. In step 3808 T^+T^ is calculated. Here, since xX^ 
is stored in the register T^, and aZ^ is stored in the 
register T4, xX^+aZ^ is calculated. The result is stored 
in the register T^. In step 3809 T1XT2 is calculated. 
Here, since the register T^ stores xX^+aZ^/ and xZ^+X^ is 

20 stored in the register T2, (xX^+aZ^) (xZ^+X^) is calcu- 
lated. The result is stored in the register T^. In 
step 3810 a square of the register Z^ is calculated, and 
stored in the register T2 . In step 3811 T2x2b is 
calculated. Here, since the register T2 stores Z/, 

25 2bZ/ is calculated. The result is stored in the 

register Tj . In step 3812 T1+T2 is calculated. Here, 
since (xX^+aZ^) (xZ^+X^) is stored in the register Ti and 
2bZd' is stored in the register T2, (xX^+aZj (xZ^+XJ +2bZd' 
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is calculated. The result is stored in the register T^. 
In step 3813 T^xZ^+i is calculated. Here, since 
(xXd+aZd) (xZ^+X^) +2bZ/ is stored in the register T^, 
Zd+i ( (xXd+aZ^) (xZd+Xd) +2bZ/) is calculated. The result is 
5 stored in the register T^. In step 3814 T1-T3 is 

calculated. Here, since Z^+i ( (xX^+aZ^) (xZ^+X^) +2bZd^) is 
stored in the register T^ and X^+i (X^-xZ^) ^ is stored in 
the register T3, Z^^^ ( (xX^+aZ J (xZ^+X^) +2bZ/) -Xd+, (X^-xZ^) ' 
is calculated, and the result is stored in the register 

10 Y^, In step 3815 2yxZ^ is calculated, and stored in the 
register T2. In step 3816 Iz^'^d+i is calculated- Here, 
since the register T2 stores 2yZ^f 2yZdZd+i is calculated, 
and the result is stored in the register T2- In step 
3817 T2xXd is calculated. Here, since 2yZ^Z^+^ is stored 

15 in the register T2, ^yZ^Z^+^X^ is calculated, and the 

result is stored in the register X^- In step 3819, T2xZd 
is calculated. Here, since the register T2 stores 
2yZdZd+;L' 2yZ^Z^+-L2^ is calculated, and the result is 
stored in the register Z^. Therefore, the register Z^ 

20 stores 2yZdZd+iZd. In the step 3814 since 

Zd+i( (xXd+aZJ (xZd+Xd)+2bZd')+Xd+i(Xd-xZd)^ is stored in the 
register Y^, and is not updated thereafter, the value is 
held. In the step 3817, since 2yZdZd^iXd is stored in 
the register X^, and is not updated thereafter, the 

25 value is held. 

A reason why all the values in the projective 
coordinate {X^,Y^,Z^) of the scalar-multiplied point in 
the Weierstrass-f orm elliptic curve are recovered from 
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the given x, y, X^, Z^, ^d+ir Z^+i by the aforementioned 
procedure is as follows. Additionally, the point 
{d+l)P is a point obtained by adding the point P to the 
point dP. The assignment to the addition formulae in 
5 the affine coordinates of the Weierstrass-f orm elliptic 
curve results in Equations 27. Since the points P and 
dP are points on the Weierstrass-f orm elliptic curve, 
y/=Xd^+aXd+b and y^=x^+ax+b are satisfied. When the 
value is assigned to Equation 27, y/ and y^ are deleted, 

10 and the equation is arranged. Equation 70 is obtained. 
Here, k^^^X^/Z^, Xd+i=Xd+i/Zd+i - The value is assigned and 
thereby converted to the value of the projective 
coordinate. Then, Equation 71 is obtained. Although 
Xd=Xd/Zd, the reduction to the denominator common with 

15 that of y^ is performed for the purpose of reducing the 
frequency of inversion, and Equation 72 results. 

. . , Equation 73 
Here, and may be updated by the following, 

. . . Equation 74 

. . . Equation 75 

Here, X^, Y^, Z^ are given by the processing shown in 
25 FIG. 38. Therefore, all the values of the projective 
coordinate {X^.Y^fZ^) are recovered. 
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For the aforementioned procedure, in the 
steps 3801, 3805, 3806, 3807, 3809, 3811, 3813, 3815, 
3816, 3817 and 3818, the computational amount of 
multiplication on the finite field is required. 
5 Moreover, the computational amount of squaring on the 
finite field is required in the steps 3804 and 3810, 
The computational amounts of addition and subtraction 
on the finite field are relatively small as compared 
with the computational amounts of multiplication and 

10 squaring on the finite field, and may therefore be 
ignored. Assuming that the computational amount of 
multiplication on the finite field is M, and the 
computational amount of squaring on the finite field is 
S, the above procedure requires a computational amount 

15 of 11M+2S. This is far small as compared with the 

computational amount of the fast scalar multiplication. 
For example, when the scalar value d indicates 160 
bits, the computational amount of the fast scalar 
multiplication is estimated to be a little less than 

20 about 1500 M. Assuming S=0 . 8 M, the computational 
amount of coordinate recovering is 12.6 M, and far 
small as compared with the computational amount of the 
fast scalar multiplication- Therefore, it is indicated 
that the coordinate can efficiently be recovered. 

25 Additionally, even when the above procedure 

is not taken, but if the values of X^, Y^, can be 
calculated, the values of X^, Y^, can be recovered. 
Moreover, the values of X^, Y^, Z^ are selected so that 
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Xd/ Yd take the values given by the aforementioned 
equations. When the values can be calculated, and X^, 
Yd/ Zd can be recovered. In this case, the computa- 
tional amount required for recovering generally 
5 increases - 

An algorithm for outputting X^, Z^/ X^+i/ Z^+i 
from the scalar value d and the point P on the 
Weierstrass-form elliptic curve will next be described. 

As the fast scalar multiplication method of 
10 the scalar multiplication unit 202 of the eighteenth 
embodiment, the fast scalar multiplication method of 
the seventeenth embodiment is used. Thereby, as the 
algorithm which outputs X^, Z^, X^.^, Z^^^ from the scalar 
value d and the point P on the Weierstrass-form 
15 elliptic curve, the fast algorithm is achieved. 

Additionally, instead of using the aforementioned 
algorithm in the scalar multiplication unit 202, any 
algorithm may be used as long as the algorithm outputs 
Xd, Zd, Xd+i, Zd+i from the scalar value d and the point P 
20 on the Weierstrass-form elliptic curve at high speed. 

The computational amount required for 
recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
11M+2S, and this is far small as compared with the 
25 computational amount of (9-2k+0.4)M necessary for the 
fast scalar multiplication of the fast scalar multi- 
plication unit 202. Therefore, the computational 
amount necessary for the scalar multiplication, of the 
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scalar multiplication unit 103 is substantially equal 
to the computational amount necessary for the fast 
scalar multiplication of the fast scalar multiplication 
unit. Assuming that S=0.8 M, the computational amount 
can be estimated to be about (9.2k+13)M. For example, 
when the scalar value d indicates 160 bits (k=160) , the 
computational amount necessary for the scalar multipli- 
cation is 1485 M. The Weierstrass-f orm elliptic curve 
is used as the elliptic curve, the scalar multiplica- 
tion method is used in which the window method and the 
mixed coordinates mainly including the Jacobian 
coordinates are used, and the scalar-multiplied point 
is outputted as the Jacobina coordinates. In this 
case, the required computational amount is about 1600 
M, and as compared with this, the required computa- 
tional amount is reduced. 

In a nineteenth embodiment, the Weierstrass- 
form elliptic curve is used as the elliptic curve . 
That is, the elliptic curve for use in input/output of 
the scalar multiplication unit 103 is the Weierstrass- 
form elliptic curve. Additionally, as the elliptic 
curve for use in the internal calculation of the scalar 
multiplication unit 103, the Montgomery- form elliptic 
curve which can be transformed from the Weierstrass- 
form elliptic curve may be used. The scalar multipli- 
cation unit 103 calculates and outputs the scalar- 
multiplied point (Xd,yd) with the complete coordinate 
given thereto as the point of the affine coordinates in 



the Weierstrass-form elliptic curve from the scalar 
value d and the point P on the Weierstrass-f orm 
elliptic curve. The scalar value d and the point P on 
the Weierstrass-form elliptic curve are inputted into 
the scalar multiplication unit 103, and received by the 
scalar multiplication unit 202. The fast scalar 
multiplication unit 202 calculates in the coordinate 
of the scalar-multiplied point dF=(K^,y^) represented by 
the affine coordinates in the Weierstrass-form elliptic 
curve, Xd+i in the coordinate of the point (d+l)P= 
(Xd+i/Yd-hi) on the Weierstrass-form elliptic curve 
represented by the affine coordinates, and x^-i in the 
coordinate of the point (d-1 ) P= (Xd_i, y^-J on the 
Weierstrass-form elliptic curve represented by the 
affine coordinates from the received scalar value d and 
the given point P on the Weierstrass-form elliptic 
curve. The information is given to the coordinate 
recovering unit 203 together with the inputted point 
P=(x,y) on the Weierstrass-form elliptic curve 
represented by the affine coordinates- The coordinate 
recovering unit 203 recovers the coordinate y^ of the 
scalar-multiplied point dF= {x^, y^) represented by the 
affine coordinates in the Weierstrass-form elliptic 
curve from the given coordinate values x^, x^+i/ x^.i, x, 
and y. The scalar multiplication unit 103 outputs the 
scalar-multiplied point (Xd,yd) with the coordinate 
completely given thereto in the affine coordinates as 
the calculation result. 
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A processing of the coordinate recovering 
unit which outputs x^. Yd from the given coordinates x, 
Y, x^, x^+i will next be described with reference to FIG. 
39. 

5 The coordinate recovering unit 203 inputs x^ 

in the coordinate of the scalar-multiplied point 
dP=(x^,Yd) represented bY the affine coordinates in the 
Weierstrass-f orm elliptic curve, ^d+i the coordinate 
of the point (d+l ) P= (x^+i, Yd+i) the Weierstrass-f orm 

10 elliptic curve represented hy the affine coordinates, 
and (x,y) as representation of the point P on the 
Weierstrass-f orm elliptic curve inputted into the 
scalar multiplication unit 103 in the affine coordi- 
nates, and outputs the scalar-multiplied point (x^. Yd) 

15 with the complete coordinate given thereto in the 
affine coordinates in the following procedure. 

In step 3901 x^^xx is calculated, and stored in 
the register T^. In step 3902 T^+a is calculated- 
Here, since x^x is stored in the register T^, x^x+a is 

20 calculated. The result is stored in the register T^. 
In step 3903 x^+x is calculated, and stored in the 
register T2 - In step 3904 T1XT2 is calculated. Here, 
since x^x+a is stored in the register T^, and x^+x is 
stored in the register T2, (x^x+a) (x^+x) is calculated. 

25 The result is stored in the register T^. In step 3905 

Ti+2b is calculated. Here, since (x^x+a) (x^+x) is stored 
in the register T^, (x^x+a) (Xd+x)+2b is calculated. The 
result is stored in the register T^. In step 3906 x^-x 



is calculated, and stored in the register T2 . In step 
3907 a square of is calculated. Here, since x^-x is 
stored in the register T2, (x^-x)^ is calculated. The 
result is stored in the register T2 . In step 3908 
T2X^2d+i is calculated. Here, since (x^-x)^ is stored in 
the register T2, Xd^i(Xd-x)^ is calculated. The result is 
stored in the register T2 . In step 3909 T^-Ts is 
calculated. Here, since (x^x+a) (x^+x) +2b is stored in 
the register T^ and x^^]^(x^— x)^ is stored in the register 
T2, (x^x+a) (Xd+x) +2b-Xd^i (x^-x) ^ is calculated. The result 
is stored in the register T^. In step 3910 the inverse 
element of 2y is calculated, and stored in the register 
T2. In step 3911 T^xTs is calculated. Here, since 
(XrfX+a) (x^+x) +2b-x^^.i (x^-x) ^ is stored in the register 
and l/2y is stored in the register T2, ( (x^x+a) {Xd+x)+2b- 
^d+i (Xd~^) ^) /2y is calculated. The result is stored in 
the register y^. Therefore, ( (x^x+a) (x^+x) +2b-Xd+i (x^- 
x)^)/2y is stored in the register y^. Since the 
register x^ is not updated, the inputted value is held. 

A reason why the y-coordinate of the 
scalar-multiplied point is recovered by the afore- 
mentioned procedure is as follows. The point {d+l)P is 
obtained by adding the point P to the point {d+l)P. 
The assignment to the addition formulae in the affine 
coordinates of the Weierstrass-f orm elliptic curve 
results in Equation 27. Since the points P and dP are 
points on the Weierstrass-f orm elliptic curve, 
yd^=Xd^+aXd+b and y^=x^+ax+b are satisfied. When the 
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value is assigned to Equation 27, y/ and are deleted, 
and the equation is arranged. Equation 70 is obtained. 
Here, x^^, y^ are given by the processing of FIG. 39. 
Therefore, all the values of the affine coordinate 
5 i^dfYd) 3.re recovered. 

For the aforementioned procedure, in the 
steps 3901, 3904, 3908, and 3911, the computational 
amount of multiplication on the finite field is 
required- Moreover, the computational amount of 

10 squaring on the finite field is required in the step 
3907. Furthermore, the computational amount of the 
inversion on the finite field is required in the step 
3910. The computational amounts of addition and 
subtraction on the finite field are relatively small as 

15 compared with the computational amounts of multipli- 
cation, squaring, and inversion on the finite field, 
and may therefore be ignored. Assuming that the 
computational amount of multiplication on the finite 
field is M, the computational amount of squaring on the 

20 finite field is S, and the computational amount of 

inversion on the finite field is I, the above procedure 
requires a computational amount of 4M+S+I. This is far 
small as compared with the computational amount of the 
fast scalar multiplication. For example, when the 

25 scalar value d indicates 160 bits, the computational 
amount of the fast scalar multiplication is estimated 
to be a little less than about 1500 M. Assuming S=0.8 
M, 1=4 0 M, the computational amount of coordinate 
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recovering is 44.8 M, and far small as compared with 
the computational amount of the fast scalar multipli- 
cation. Therefore, it is indicated that the coordinate 
can efficiently be recovered. 
5 Additionally, even when the above procedure 

is not taken, but if the values of the right side of 
the equation can be calculated, the value of y^ can be 
recovered. In this case, the computational amount 
required for recovering generally increases. 
1^ ^ algorithm for outputting x^, x^+i from the 

scalar value d and the point P on the Weierstrass-f orm 
elliptic curve will next be described with reference to 
FIG. 44. 

The fast scalar multiplication unit 202 
15 inputs the point P on the Weierstrass-f orm elliptic 

curve inputted into the scalar multiplication unit 103, 
and outputs x^ in the scalar-multiplied point dP=(Xd,yj) 
represented by the affine coordinate in the 
Weierstrass-form elliptic curve, and k^^^ in the point 
20 (d+1) P= (x^^i, y^^J on the Weierstrass-form elliptic curve 
represented by the affine coordinate by the following 
procedure. In step 4416, the given point P on the 
Weierstrass-form elliptic curve is transformed to the 
point represented by the projective coordinates on the 
25 Montgomery- form elliptic curve. This point is set anew 
to point P. In step 4401, the initial value 1 is 
assigned to the variable I. The doubled point 2P of 
the point P is calculated in step 4402. Here, the 
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point P is represented as (x,y, 1) in the projective 
coordinate, and the formula of doubling in the projec- 
tive coordinate of the Montgomery- form elliptic curve 
is used to calculate the doubled point 2P. In step 
4403, the point P on the elliptic curve inputted into 
the scalar multiplication unit 103 and the point 2P 
obtained in the step 4402 are stored as a set of points 
(P,2P). Here, the points P and 2P are represented by 
the projective coordinate. It is judged in step 4404 
whether or not the variable I agrees with the bit 
length of the scalar value d. With agreement, the flow 
goes to step 4415. With disagreement, the flow goes to 
step 4405. The variable I is increased by 1 in the 
step 4405. It is judged in step 4406 whether the value 
of the I-th bit of the scalar value is 0 or 1 . When 
the value of the bit is 0, the flow goes to the step 
4407. When the value of the bit is 1, the flow goes to 
step 4410. In step 4407, addition mP+(m+l)P of points 
mP and (m+l)P is performed from the set of points 
(mP, (m+l)P) represented by the projective coordinate, 
and the point (2m+l)P is calculated. Thereafter, the 
flow goes to step 4408. Here, the addition mP+(m+l)P 
is calculated using the addition formula in the projec- 
tive coordinate of the Montgomery- form elliptic curve. 
In step 4408, doubling 2 (mP) of the point mP is 
performed from the set of points (mP, (m+l)P) 
represented by the projective coordinate, and the point 
2mP is calculated. Thereafter, the flow goes to step 
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4409. Here, the doubling 2 (mP) is calculated the 
formula of doubling in the projective coordinates of 
the Montgomery- form elliptic curve. In step 4409, the 
point 2mP obtained in the step 4408 and the point 
5 (2m+l)P obtained in the step 4407 are stored as a set 
of points (2mP, (2m+l)P) instead of the set of points 
(mP, (m-Hl) P) . Thereafter, the flow returns to the step 
4404. Here, the points 2mP, (2m4-l)P, mP, and (m+l)P 
are all represented in the projective coordinates. In 

10 step 4410, addition mP+(m+l)P of the points mP, (m+l)P 
is performed from the set of points (mP, (m+l)P) 
represented by the projective coordinates, and the 
point (2m+l)P is calculated. Thereafter, the flow goes 
to step 4411. Here, the addition mP+(m+l)P is 

15 calculated using the addition formula in the projective 
coordinates of the Montgomery- form elliptic curve. In 
the step 4411, doubling 2((m+l)P) of the point (m+l)P 
is performed from the set of points (mP, (m+l)P) 
represented by the projective coordinates, and the 

20 point (2m+2)P is calculated. Thereafter, the flow goes 
to step 4412. Here, the doubling 2((m+l)P) is calcu- 
lated using the formula of doubling in the projective 
coordinates of the Montgomery-form elliptic curve. In 
the step 4412, the point (2m+l)P obtained in the step 

25 4410 and the point (2m+2)P obtained in the step 4411 

are stored as a set of points ((2m+l)P, {2m+2)P) instead 
of the set of points (mP, (m+l)P) . Thereafter, the flow 
returns to the step 4404. Here, the points (2m+l)P, 
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(2111+2) P, mP, and (ni+l)P are all represented in the 
projective coordinates. In step 4415^ with respect to 
the set of points (mP, (ia+l)P) represented by the 
projective coordinates in the Montgomery- form elliptic 
5 curve, the points mP and (m+1) P are transformed to the 
point shown by the affine coordinates on the 
Weierstrass-f orm elliptic curve, and set anew to 
mP={x^, y^) and (m+1 ) P= (x^^^, y^^J . Here, y^ and y^^^ are 
not obtained, because the Y-coordinate cannot be 

10 obtained by the addition and doubling formulae in the 
projective coordinates of the Montgomery- form elliptic 
curve. Thereafter, the flow goes to step 4413. In the 
step 4413, is outputted as x^ from the point 
mP=(x^, y^^) represented by the affine coordinates on the 

15 Weierstrass-form elliptic curve, and Xj„+i is outputted as 
x^+i from the point (m+1 ) P= (x^^^^, y^^^^J represented by the 
affine coordinates on the Weierstrass-form elliptic 
curve. In the above procedure, m and scalar value d 
are equal in the bit length and bit pattern, and are 

20 therefore equal. 

The computational amount of the addition 
formula in the projective coordinates of the 
Montgomery- form elliptic curve is 3M+2S with Zi=l . 
Here, M is the computational amount of multiplication 

25 on the finite field, and S is the computational amount 
of squaring on the finite field. The computational 
amount of the doubling formula in the projective 
coordinates of the Montgomery- form elliptic curve is 
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3M+2S. When the value of the I-th bit of the scalar 
value is 0, the computational amount of addition in the 
step 44 07, and the computational amount of doubling in 
the step 4408 are required. That is, the computational 
5 amount of 6M+4S is required. When the value of the I- 
th bit of the scalar value is 1, the computational 
amount of addition in the step 4410, and the computa- 
tional amount of doubling in the step 4411 are 
required. That is, the computational amount of 6M+4S 

10 is required. In any case, the computational amount of 
6M+4S is required. The number of repetitions of the 
steps 4404, 4405, 4406, 4407, 4408, 4409, or the steps 
4404, 4405, 4406, 4410, 4411, 4412 is (bit length of 
the scalar value d)-l. Therefore, in consideration of 

15 the computational amount of doubling in the step 44 02, 
the computational amount necessary for the transform to 
the point on the Montgomery- form elliptic curve in the 
step 4416, and the computational amount necessary for 
the transform to the point on the Weierstrass-f orm 

20 elliptic curve in the step 4415, the entire computa- 
tional amount is ( 6M+4S ) k+4M-2S+I . Here, k is the bit 
length of the scalar value d. In general, since the 
computational amount S is estimated to be of the order 
of S=0.8 M, and the computational amount I is estimated 

25 to be of the order of 1=40 M, the entire computational 
amount is approximately (9. 2k+42 . 4)M- For example, 
when the scalar value d indicates 160 bits (k=160), the 
computational amount of algorithm of the aforementioned 
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procedure is about 1514 M. The computational amount 
per bit of the scalar value d is about 9.2 M. In A. 
Miyaji, T. One, H. Cohen, Efficient elliptic curve 
exponentiation using mixed coordinates. Advances in 
5 Cryptology Proceedings of ASIACRYPT' 98 , LNCS 1514 

(1998) pp. 51-65, the scalar multiplication method using 
the window method and mixed coordinates mainly includ- 
ing Jacobian coordinates in the Weierstrass-f orm 
elliptic curve is described as the fast scalar multi- 

10 plication method. In this case, the computational 

amount per bit of the scalar value is estimated to be 
about 10 M. For example, when the scalar value d 
indicates 160 bits (k=160) , the computational amount of 
the scalar multiplication method is about 1640 M, 

15 Therefore, the algorithm of the aforementioned 

procedure can be said to have a small computational 
amount and high speed. 

Additionally, instead of using the afore- 
mentioned algorithm in the fast scalar multiplication 

20 unit 202, another algorithm may be used as long as the 
algorithm outputs x^/ x^+i/ Xd=i from the scalar value d 
and the point P on the Weierstrass-f orm elliptic curve 
at high speed. 

The computational amount required for 

25 recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
4M+S+I, and this is far small as compared with the 
computational amount of (9.2k+42.4)M necessary for fast 
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scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 
5 computational amount necessary for the fast scalar 

multiplication of the fast scalar multiplication unit. 
Assuming 1=40 S=0.8 M, the computational amount can 
be estimated to be about {9.2k+87 .2)M. For example, 
when the scalar value d indicates 160 bits (k=160), the 

10 computational amount necessary for the scalar multi- 
plication is about 1559 M. The Weierstrass-f orm 
elliptic curve is used as the elliptic curve, the 
scalar multiplication method is used in which the 
window method and the mixed coordinates mainly 

15 including the Jacobian coordinates are used, and the 
scalar-multiplied point is outputted as the affine 
coordinates. In this case, the required computational 
amount is about 164 0 M, and as compared with this, the 
required computational amount is reduced. 

20 In a twentieth embodiment, the Weierstrass- 

form elliptic curve is used as the elliptic curve for 
the input/output, and the Montgomery- form elliptic 
curve which can be transformed from the inputted 
Weierstrass-form elliptic curve is used for the 

25 internal calculation. The scalar multiplication unit 
103 calculates and outputs the scalar-multiplied point 
i^dfVd) with the complete coordinate given thereto as 
the point of the affine coordinates in the Weierstrass- 
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form elliptic curve from the scalar value d and the 
point P on the Weierstrass-f orm elliptic curve. The 
scalar value d and the point P on the Weierstrass-f orm 
elliptic curve are inputted into the scalar multipli- 
5 cation unit 103, and received by the scalar multipli- 
cation unit 202. The fast scalar multiplication unit 

202 calculates and in the coordinate of the 
scalar-multiplied point dP= (X^, Y^, Z^) represented by the 
projective coordinates in the Montgomery-form elliptic 

10 curve, and X^+i and Z^+i in the coordinate of the point 
(d+1) P= (Xrf+i, Y^+i, Z^+i) on the Montgomery- form elliptic 
curve represented by the projective coordinates from 
the received scalar value d and the given point P on 
the Weierstrass-f orm elliptic curve. Moreover, the 

15 inputted point P on the Weierstrass-f orm elliptic curve 
is transformed to the point on the Montgomery- form 
elliptic curve which can be transformed from the given 
Weierstrass-f orm elliptic curve, and the point is set 
anew to P={x,y). The fast scalar multiplication unit 

20 202 gives X^, Z^, X^^-i, Z^+i/ x, and y to the coordinate 
recovering unit 203. The coordinate recovering unit 

203 recovers coordinate x^, y^ of the scalar-multiplied 
point dP=(x^,yd) represented by the affine coordinates 
in the Weierstrass-f orm elliptic curve from the given 

25 coordinate values X^, Z^, X^+i, Z^+i, x, and y. The scalar 
multiplication unit 103 outputs the scalar-multiplied 
point (Xd,yd) with the coordinate completely given 
thereto in the affine coordinates as the calculation 
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result . 

A processing of the coordinate recovering 
unit for outputting x^^, from the given coordinates x, 
y, X^, Z^, X^^^i, Zj+i will next be described with reference 
5 to FIG- 40- 

The coordinate recovering unit 2 03 inputs X^, 
and Zd in the coordinate of the scalar-multiplied point 
dP= (X^, Zj) represented by the projective coordinates 
in the Montgomery- form elliptic curve, X^^^ and Z^+i in 

10 the coordinate of the point (d+1 ) P= (X^+i/ Y^+i, Z^+i) on the 
Montgomery- form elliptic curve represented by the 
projective coordinates, and (x,y) as representation of 
the point P on Montgomery- form elliptic curve inputted 
into the scalar multiplication unit 103 in the affine 

15 coordinates, and outputs the scalar-multiplied point 
i^dfYd) with the complete coordinate given thereto in 
the affine coordinates in the following procedure. 
Here, the affine coordinate of the inputted point P on 
the Montgomery-form elliptic curve is represented by 

20 (x,y), and the projective coordinate thereof is 

represented by (Xi,Yi,Zi). Assuming that the inputted 
scalar value is d, the affine coordinate of the scalar- 
multiplied point dP in the Montgomery-form elliptic 
curve is represented by (Xd"°"/ y^^'''') , and the projective 

25 coordinate thereof is represented by (Xa,Y^,Z^) . The 
affine coordinate of the point (d+l)P on the 
Montgomery-form elliptic curve is represented by 
i^a+ifYd+i) f ^nd the projective coordinate thereof is 



represented by (X^-,!, Y^+i, Z^+i) . 

In step 4001, xxZ^ is calculated and stored in 
the register T^. In step 4002 X^+Ti is calculated. 
Here, xZ^ is stored in the register T^, and therefore 
5 xZ^+Xd is calculated- The result is stored in the 

register In step 4003 X^-Ti is calculated, here the 

register stores xZ^, and therefore xZ^-X^ is calcu- 
lated- The result is stored in the register T3. In 
step 4004 a square of the register T3 is calculated. 

10 Here, xZ^-X^ is stored in the register T3, and therefore 
(Xd-xZ^)^ is calculated. The result is stored in the 
register T3. In step 4005 TsxX^+i is calculated. Here, 
(Xj-xZ^)^ is stored in the register T3, and therefore 
Xd+i (Xd-xZ^) ^ is calculated. The result is stored in the 

15 register T3. In step 4006 2KxZ^ is calculated, and 
stored in the register T^. In step 4007 T2+T1 is 
calculated- Here, xZ^+X^ is stored in the register T^, 
2AZ^ is stored in the register T^, and therefore 
xZd+Xd+2AZd is calculated. The result is stored in the 

20 register Tg. In step 4008 xxX^ is calculated and stored 
in the register T4. In step 4009 T4+Zd is calculated. 
Here, the register T4 stores xX^, and therefore xX^+Z^ is 
calculated. The result is stored in the register T4 . 
In step 4010 T2XT4 is calculated. Here T2 stores 

25 xZd+Xd+2AZd/ the register T4 stores xX^+Zd/ and therefore 
(xZd+Xd+2AZd) (xXd+Zd) is calculated. The result is 
stored in the register T2. In step 4011 T^xZ^ is 
calculated. Here, since the register T^ stores 2AZd, 
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2AZ/ is calculated. The result is stored in the 
register T^. In step 4012 T2-T1 is calculated. Here 
{xZd+Xd+2AZJ (xXd+ZJ is stored in the register T^, 2AZd' 
is stored in the register T,, and therefore 
5 (xZd+Xd+2AZJ (xX^+ZJ-2AZ/ is calculated. The result is 
stored in the register T2 . In step 4013 T2xZd+i is 
calculated. Here (xZd+Xd+2AZJ (xX^+ZJ -2AZ/ is stored in 
the register T2, and therefore Z^^^ ( (xZd+X^+2AZd) (xX^+Z^) - 
2AZ/) is calculated. The result is stored in the 

10 register T2. In step 4014 T2-T3 is calculated. Here 

Zd+i ( (xZd+Xd+2AZd) (xXd+Zd) -2AZ/) is stored in the register 
^2/ X^+i (Xd~xZd) ^ is stored in the register T3, and 
therefore Z^.^ ( (xZ^+Xd+2AZ J (xX^+Z J -2AZ/) -X..^ (X^-xZ,) ' is 
calculated. The result is stored in the register T2 . 

15 In step 4015 2Bxy is calculated, and stored in the 

register T^. In step 4016 T^xZ^ is calculated. Here, 
Since 2By is stored in the register T^, 2ByZd is 
calculated. The result is stored in the register T^ . 
In step 4017 T^xZ^+i is calculated. Here, since the 

20 register T^ stores 2ByZd, 2ByZdZd+i is calculated. The 

result is stored in the register T^. In step 4018 T^xZ^ 
is calculated. Here, since the register stores 
2ByZdZd^i, 2ByZdZ^^iZd is calculated. The result is stored 
in the register T3. In step 4019 T3XS is calculated. 

25 Here, since the register T3 stores 2ByZdZd^iZd/ 2ByZdZd+iZdS 
is calculated. The result is stored in the register T3. 
In step 4020 the inverse element of the register T3 is 
calculated. Here, since 2ByZdZd+iZdS is stored in the 
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register T3, l/2ByZdZd+iZdS is calculated. The result is 
stored in the register T3. In step 4021 T2XT3 is 
calculated. Here, since the register T2 stores 
Zd+i( (xZd+Xd+2AZJ (xX^+ZJ-2AZ/)-Xd,, (Xd-xZj' and the 
5 register T3 stores l/2ByZdZd+iZdS, { Z^+i ( (xZd+Xd+2AZd) (xXd+ 
Zd)-2AZd')-Xd+i(Xd-xZd)^}/2ByZdZd+iZdS is calculated. The 
result is stored in the register y^. In step 4022 T^xX^ 
is calculated. Here, since the register T^ stores 
2ByZdZd-M, 2ByZdZd^iXd is calculated- The result is stored 

10 in the register T^. In step 4023 T1XT3 is calculated. 
Here, since the register T^ stores 2ByZdZd+iX^j and the 
register T3 stores l/2ByZdZd^.,ZdS, 2ByZdZd+iXd/2ByZdZd+iZdS 
{=Xd/Z^s) is calculated. The result is stored in the 
register T^. In step 4024 Ti+a is calculated. Here, 

15 since the register T^ stores X^/Z^s, (Xd/ZdS)+a is 

calculated. The result is stored in x^- Therefore, the 
value of (X^/ZdS)+a is stored in the register x^. In the 
step 4021 since { Z^^^ { (xZd+X^+2AZ J (xX^+Z J -2AZ/) -X^.i (X^- 
xZrf) ^ } /2ByZdZd+iZdS is stored in y^, and is not updated 

20 thereafter, the value is held. As a result, all the 
values of the affine coordinate (Xd,yd) in the 
Weierstrass-f orm elliptic curve are recovered. 

A reason why all the values in the affine 
coordinates (x^,y^) of the scalar-multiplied point in 

25 the Weierstrass-f orm elliptic curve are recovered from 
X, y, X^, Z^, ^d+if 2^+1 given by the aforementioned 
procedure is as follows. The point (d+l)P is a point 
obtained by adding the point P to the point dP. The 
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assignment to the addition formulae in the affine 
coordinates of the Montgomery- form elliptic curve 
results in Equation 38. Since the points P and dP are 
points on the Montgomery-form elliptic curve, 
5 By,^°"^-x/^"^+Ax/°^^+x/°" and By^=x^+Ax^+x are satisfied. 

When the value is assigned to- Equation 38, By^^""^ and By^ 
are deleted, and the equation is arranged, the follow- 
ing equation is obtained. 

yT" = ixT-x + lXxT +x + 2A)-2A-(xT" -xfx,,,}/(2By) 
10 ... Equation 76 

Here, x/°"=Xd/Zd, x^^i-X^+i/Zd+i . The value is assigned and 
thereby converted to the value of the projective 
coordinate. Then, the following equation is obtained. 

yT"={ZaAi^,^^Z,)(X, -FJcZ, +2AZ,)-2AZ',)-(x, - xZ X (2ByZ ,Z ,,,Z ,) 
15 ... Equation 77 

Although Xd"°"=Xd/Zd, the reduction to the denominator 
common with that of y^^'"'' is performed for the purpose of 
reducing the frequency of inversion, and the following 
equation is obtained. 

2 0 = {2ByZ,Z,^,X, )/(2ByZ ,Z ,^,Z , ) 

. . - Equation 7 8 

The correspondence between the point on the Montgomery- 
form elliptic curve and the point on the Weierstrass- 
form elliptic curve is described in K.Okeya, 
25 H.Kurumatani, K.Sakurai, Elliptic Curves with the 
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Montgomery- form and Their Cryptographic Applications, 
Public Key Cryptography, LNCS 1751 (2000) pp. 238-257. 
Thereby, when the conversion parameters are s, a, the 
relation is yd=s"'y/°^ and x^^s'^Xj^'^^+a . As a result, 
5 Equations 79, 80 are obtained. 

y, = ^^,X{X,x + Z,){X,^xZ, +2AZ,)-2AZiy{X, -xZ,f X,^,}/(2sByZ,Z,,,Z,) 

. - , Equation 7 9 

X, = ({2ByZ,Z,,,X,)/(2sByZ,Z,,,Z,))+a 
. . . Equation 8 0 

10 Here, x^, yd are given by FIG. 40. Therefore, 

all the values of the affine coordinates {Xd,yci) in the 
Weierstrass-f orm elliptic curve are recovered. 

For the aforementioned procedure, in the 
steps 4001, 4005, 4006, 4008, 4010, 4011, 4013, 4015, 

15 4016, 4017, 4018, 4019, 4021, 4022, and 4023, the 

computational amount of multiplication on the finite 
field is required. Moreover, the computational amount 
of squaring on the finite field is required in the step 
4004. Moreover, the computational amount of inversion 

20 on the finite field is required in the step 4020. The 
computational amounts of addition and subtraction on 
the finite field are relatively small as compared with 
the computational amounts of multiplication, squaring, 
and inversion on the finite field, and may therefore be 

25 ignored. Assuming that the computational amount of 
multiplication on the finite field is M, the computa- 



tional amount of squaring on the finite field is S, and 
the computational amount of the inversion on the finite 
field is I, the above procedure requires a computa- 
tional amount of 15M+S+I. This is far small as 
5 compared with the computational amount of the fast 
scalar multiplication. For example, when the scalar 
value d indicates 160 bits, the computational amount of 
the fast scalar multiplication is estimated to be a 
little less than about 1500 M. Assuming that S=0.8 M, 

10 1=4 0 M, the computational amount of coordinate recover- 
ing is 55.8 M, and far small as compared with the 
computational amount of the fast scalar multiplication. 
Therefore, it is indicated that the coordinate can 
efficiently be recovered. 

15 Additionally, even when the above procedure 

is not taken, but if the values of x^, yd given by the 
above equation can be calculated, the values of x^f yd 
can be recovered. In this case, the computational 
amount required for recovering generally increases. 

20 Furthermore, when the value of A or B as the parameter 
of the Montgomery- form elliptic curve, or s as the 
transform parameter to the Montgomery-form elliptic 
curve is set to be small, the computational amount of 
multiplication in the step 4006 or 4015 or the computa- 

25 tional amount of multiplication in step 4019 can be 
reduced. 

A processing of the fast scalar multiplica- 
tion unit for outputting Zd, Xd+i, Zd+i from the scalar 
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value d and the point P on the Weierstrass-f oriti 
elliptic curve will next be described. 

In this case, as the fast scalar multiplica- 
tion method of the scalar multiplication unit 202 of 
5 the twentieth embodiment, the fast scalar multiplica- 
tion method of the ninth embodiment (see Fig. 8) is 
used. Thereby, as the algorithm which outputs X^, Z^, 
^d+if Zd+i from the scalar value d and the point P on the 
Weierstrass-form elliptic curve, the fast algorithm can 

10 be achieved. Additionally, instead of using the 

aforementioned algorithm in the scalar multiplication 
unit 2 02, any algorithm may be used as long as the 
algorithm outputs X^, Z^, X^^^, Z^h-i from the scalar value 
d and the point P on the Weierstrass-f orm elliptic 

15 curve at high speed . 

The computational amount required for 
recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
15M+S+I, and this is far small as compared with the 

20 computational amount of {9.2k-3.6)M necessary for fast 
scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 

25 computational amount necessary for the fast scalar 

multiplication of the fast scalar multiplication unit. 
Assuming that 1=40 M, S=0.8 M, the computational amount 
can be estimated to be about (9.2k-f 52 .2)M. For 
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example, when the scalar value d indicates 160 bits 
(k=160) , the computational amount necessary for the 
scalar multiplication is 1524 M. The Weierstrass-f orm 
elliptic curve is used as the elliptic curve, the 
5 scalar multiplication method is used in which the 

window method and the mixed coordinates mainly includ- 
ing the Jacobian coordinates are used, and the scalar- 
multiplied point is outputted as the affine coordi- 
nates. In this case, the required computational amount 

10 is about 1640 M, and as compared with this, the 
required computational amount is reduced. 

In a twenty-first embodiment, the 
Weierstrass-form elliptic curve is used as the elliptic 
curve for the input/output, and the Montgomery- form 

15 elliptic curve which can be transformed from the 

inputted Weierstrass-form elliptic curve is used for 
the internal calculation. The scalar multiplication 
unit 103 calculates and outputs the scalar-multiplied 
point (X/,Yd'', Z/) with the complete coordinate given 

20 thereto as the point of the projective coordinates in 
the Weierstrass-form elliptic curve from the scalar 
value d and the point P on the Weierstrass-form 
elliptic curve. The scalar value d and the point P on 
the Weierstrass-form elliptic curve are inputted into 

25 the scalar multiplication unit 103, and received by the 
scalar multiplication unit 202. The fast scalar 
multiplication unit 202 calculates and in the 
coordinate of the scalar-multiplied point dP= (X^, Y^, Z^) 
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represented by the projective coordinates in the 
Montgomery- form elliptic curve, and X^+i and Z^+i in the 
coordinate of the point (d+1 ) P= (Xd+i, Y^+i, Z^+J on the 
Montgomery- form elliptic curve represented by the 
5 projective coordinates from the received scalar value d 
and the given point P on the Weierstrass-f orm elliptic 
curve. Moreover, the inputted point P on the 
Weierstrass-form elliptic curve is transformed to the 
point on the Montgomery-form elliptic curve which can 

10 be transformed from the given Weierstrass-form elliptic 
curve, and the point is set anew to P=(x,y)- The fast 
scalar multiplication unit 202 gives X^, Z^, X^+i, Z^+i, x, 
and y to the coordinate recovering unit 203. The 
coordinate recovering unit 203 recovers coordinate X^^, 

15 Y/, Z/ of the scalar-multiplied point dF-= {X^^.Y^'', Z^"") 
represented by the projective coordinates in the 
Weierstrass-form elliptic curve from the given coordi- 
nate values Xd, Z^, X^+i, Z^^i, x, and y. The scalar 
multiplication unit 103 outputs the scalar-multiplied 

20 point (X^'', Y/, Z/) with the coordinate completely given 
thereto in the projective coordinates as the calcula- 
tion result. 

A processing of the coordinate recovering 
unit for outputting X^"", Y^^, from the given coordi- 

25 nates x, y, X^, Z^, X^+i, Z^+i will next be described with 
reference to FIG. 41. 

The coordinate recovering unit 203 inputs X^ 
and Z^ in the coordinate of the scalar-multiplied point 



dP= (Xd/ Yd, Zd) represented by the projective coordinates 
in the Montgomery- form elliptic curve, X^+i and Z^+i in 
the coordinate of the point (d+1 ) P= (Xd+i, Y^+i, Z^+i) on the 
Montgomery-form elliptic curve represented by the 
5 projective coordinates, and {x,y) as representation of 
the point P on Montgomery- form elliptic curve inputted 
into the scalar multiplication unit 103 in the affine 
coordinates, and outputs the scalar-multiplied point 
(Xd"", Y/, Zd"") with the complete coordinate given thereto 

10 in the projective coordinates on the Weierstrass-f orm 
elliptic curve in the following procedure. Here, the 
affine coordinate of the inputted point P on the 
Montgomery- form elliptic curve is represented by (x, y) , 
and the projective coordinate thereof is represented by 

15 (Xi,Yi,Zi). Assuming that the inputted scalar value is 
d, the affine coordinate of the scalar-multiplied point 
dP in the Montgomery-form elliptic curve is represented 
by i^dfYd) f ^nd the projective coordinate thereof is 
represented by (X^,Y^,Z^) , The affine coordinate of the 

20 point (d+l)P on the Montgomery- form elliptic curve is 
represented by (Xd+i,yd+i)/ and the projective coordinate 
thereof is represented by (X^+i, Y^+i, Z^+i) . 

In step 4101, xxZ^ is calculated and stored in 
the register Ti . In step 4102 X^+Ti is calculated. 

25 Here, xZ^ is stored in the register T^, and therefore 
xZ^+Xd is calculated. The result is stored in the 
register T^. In step 4103 X^-Ti is calculated, here the 
register T^ stores xZ^, and therefore xZ^-X^ is calcu- 
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lated. The result is stored in the register T3. In 
step 4104 a square of the register T3 is calculated. 
Here, xZ^-X^ is stored in the register T3, and therefore 
(X^-xZ^) ^ is calculated. The result is stored in the 
5 register T3. In step 4105 TaXX^+i is calculated. Here, 
(X^-xZ^)^ is stored in the register T3, and therefore 
^d+i (^d~^2;^) ^ is calculated- The result is stored in the 
register T3. In step 4106 2AxZd is calculated, and 
stored in the register Ti. In step 4107 T2+T1 is 

10 calculated. Here, xZ^+X^ is stored in the register T2, 
2AZ^ is stored in the register T^, and therefore 
xZd+Xd+2AZd is calculated. The result is stored in the 
register T2 . In step 4108 xxX^ is calculated and stored 
in the register T4 . In step 4109 T^-^Z^ is calculated. 

15 Here, the register T4 stores xX^, and therefore xX^+Z^ is 
calculated. The result is stored in the register T4. 
In step 4110 T2XT4 is calculated. Here the register T2 
stores xZd+Xd+2AZ^i, the register T4 stores xX^+Z^, and 
therefore (xZd+Xd+2AZd) (xX^+Zd) is calculated. The 

20 result is stored in the register T2 . In step 4111 T^xZ^ 
is calculated. Here, since the register T^ stores 2KL^, 
2AZ/ is calculated. The result is stored in the 
register T^ . In step 4112 T2-T1 is calculated. Here 
(xZd+Xd+2AZd) (xXd+Zd) is stored in the register T2, 2AZ/ 

25 is stored in the register T^, and therefore 

{xZd+Xd+2AZd) (xX^+Z^) -2AZ^^ is calculated. The result is 
stored in the register T2 . In step 4113 '^2^^^^x is 
calculated. Here (xZd+Xd+2AZd) (xX^+ZJ -2AZd^ is stored in 
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the register T2, and therefore Z^+i ( (xZd+Xd+2AZd) (xX^+Zd)- 
2AZ/) is calculated. The result is stored in the 
register T2 . In step 4114 T2-T3 is calculated. Here 
Z^^i ( (xZd+Xd+2AZ^) (xX^+Z^) -2AZ/) is stored in the register 
5 T2, X^+i (Xj-xZ^) ^ is stored in the register T3, and 

therefore Z^^, ( (xZd+Xd+2AZd) (xX^+Z^) -2AZ/) -X^^i (X^-xZ^) ^ is 
calculated. The result is stored in the register Y^". 
In step 4115 2Bxy is calculated, and stored in the 
register . In step 4116 T^xZ^ is calculated. Here, 

10 Since 2By is stored in the register Ti, 2ByZd is 

calculated. The result is stored in the register T^. 
In step 4117 T^xZ^+i is calculated. Here, since the 
register T^ stores 2ByZ^, 2ByZ^Zd+i is calculated. The 
result is stored in the register Ti. In step 4118 T^xZ^^ 

15 is calculated. Here, since the register T^ stores 

2ByZdZd+i, 2ByZdZd+iZd is calculated. The result is stored 
in the register T3. In step 4119 T3XS is calculated. 
Here, since the register T3 stores 2ByZdZd+iZd, 2ByZdZd^.iZdS 
is calculated- The result is stored in the register 

20 Z^. In step 4120 the T^xX^ is calculated. Here, since 
2ByZdZd+i is stored in the register T^, 2ByZdZd+iXd is 
calculated. The result is stored in the register T^. 
In step 4121 Z/xa is calculated. Here, since the 
register Z^^ stores 2ByZdZd+iZdS, 2ByZdZd+iZdSa is calcu- 

25 lated. The result is stored in the register T3. In 

step 4122 T^-fTg is calculated. Here, since 2ByZ^Zd+iXd is 
stored in the register T^^ and 2ByZdZd+iZdSa is stored in 
the register T3, 2ByZdZd+iXd+2ByZdZd+iZdSa is calculated. 
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The result is stored in X/. Therefore, the register 
stores a value of 2ByZ^Z^^^X^+2BYZ^Z^^^Z^SQL. In the step 
4114 since Z^.^ ( (xZ^+X^+2AZ J (xX^+Z J -2AZ^' ) -X^^i (Xd-xZ^) ^ is 
stored in Y^"^, and is not updated thereafter, the value 
5 is held. In the step 4119 2ByZdZd^.iZdS is stored in the 
Z/, and is not updated thereafter, and therefore the 
value is held. As a result, all the values of the 
projective coordinate (X/,Y/, Zd"") in the Weierstrass- 
form elliptic curve are recovered. 

10 A reason why all the values in the projective 

coordinates {X/,Y/, Z/) of the scalar-multiplied point 
in the Weierstrass-f orm elliptic curve are recovered 
from X, y, X^, Z^, X^+i, Z^+i given by the aforementioned 
procedure is as follows. The point {d+l)P is a point 

15 obtained by adding the point P to the point dP. The 
assignment to the addition formulae in the affine 
coordinates of the Montgomery-form elliptic curve 
results in Equation 6. Since the points P and dP are 
points on the Montgomery- form elliptic curve, 

20 Byd^=Xd^+AXd^+Xd and By^=xVAx^+x are satisfied. When the 
value is assigned to Equation 6, By/ and By^ are 
deleted, and the equation is arranged. Equation 64 is 
obtained. Here, y.^=XjZ^, Xd+i^X^+i/Z^+i . The value is 
assigned and thereby converted to the value of the 

25 projective coordinate. Then, Equation 65 is obtained. 
Although Xd=Xd/Zd, the reduction to the denominator 
common with that of y^, is performed for the purpose of 
reducing the frequency of inversion, and Equation 66 is 
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obtained. As a result, the following equation is 
obtained. 

Y', = Z,,, [(X, + xZ, + 2AZ, )iX,x + Z, ) - ]-(X,- xZ.f X,,, 
, . . Equation 81 

5 Then, the following equations are obtained. 

X', = 2ByZ,Z,^,X, 

. . . Equation 82 

. . . Equation 83 

10 Then, (X' Y' d) = (^d/ Y^/ 2d) . The correspondence 

between the point on the Montgomery- form elliptic curve 
and the point on the Weierstrass-f orm elliptic curve is 
described in K,Okeya, H . Kurumatani , K.Sakurai, Elliptic 
Curves with the Montgomery- form and Their Cryptographic 

15 Applications, Public Key Cryptography, LNCS 1751 (2000) 
pp. 238-257. Thereby, when the conversion parameter is 
sa, the relation is Y^''=Y' X/=X'^+aZ/, and Z/=sZ'd- As 
a result, the following equations are obtained. 

= zAi^^ +2AZ,XX^x+Z^)-2A^,]-(X, -xZ.fX,^ 
20 ... Equation 84 

XJ =2ByZ,Z,^,X,+aZj 

. . . Equation 85 

Zj = 2sByZ,Z,,,Z, 

. • . Equation 8 6 
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The values may be updated by the above. Here, X/,Y/, Z^i"^ 
are given by the processing of FIG. 41. Therefore, all 
the values of the projective coordinates [X^,Y^^, Z^^) in 
the Weierstrass-f orm elliptic curve are recovered. 
5 For the aforementioned procedure, in the 

steps 4101, 4105, 4106, 4108, 4110, 4111, 4113, 4115, 
4116, 4117, 4118, 4119, 4120, and 4121, the computa- 
tional amount of multiplication on the finite field is 
required. Moreover, the computational amount of 

10 squaring on the finite field is required in the step 
4104. The computational amounts of addition and 
subtraction on the finite field are relatively small as 
compared with the computational amounts of multiplica- 
tion and squaring on the finite field, and may there- 

15 fore be ignored. Assuming that the computational 

amount of multiplication on the finite field is M, and 
the computational amount of squaring on the finite 
field is S, the above procedure requires a computa- 
tional amount of 14M+S. This is far small as compared 

20 with the computational amount of the fast scalar 

multiplication. For example, when the scalar value d 
indicates 160 bits, the computational amount of the 
fast scalar multiplication is estimated to be a little 
less than about 1500 M. Assuming that S=0-8 M, the 

25 computational amount of coordinate recovering is 14.8 
M, and far small as compared with the computational 
amount of the fast scalar multiplication. Therefore, 
it is indicated that the coordinate can efficiently be 
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recovered. 

Additionally, even when the above procedure 
is not taken, but if the values of X^^, Y^^, Z/ given by 
the above equation can be calculated, the values of X/, 
5 Y/, Z/ can be recovered. Moreover, the scalar- 
multiplied point dp in the affine coordinates in the 
Weierstrass-f orm elliptic curve is set to dF= {x^^ , y/) . 
Then, the values of X^^, Y/, Z^"" are selected so that x^"", 
y^"" take the values given by the above equations. When 

10 the values can be calculated, X/, Y/, Z^^ can be 

recovered. In this case, the computational amount 
required for recovering generally increases. Further- 
more, when the value of A or B as the parameter of the 
Montgomery-form elliptic curve, or s as the transform 

15 parameter to the Montgomery-form elliptic curve is set 
to be small, the computational amount of multiplication 
in the step 4106, 4115, or 4119 can be reduced. 

An algorithm for outputting X^, Z^, ^d+i/ '^d+i 
from the scalar value d and the point P on the 

20 Weierstrass-f orm elliptic curve will next be described. 

As the fast scalar multiplication method of 
the scalar multiplication unit 202 of the twenty-first 
embodiment, the fast scalar multiplication method of 
the ninth embodiment is used. Thereby, as the 

25 algorithm which outputs X^, Z^, X^+i/ Z^+i from the scalar 
value d and the point P on the Weierstrass-f orm 
elliptic curve, the fast algorithm can be achieved. 
Additionally, instead of using the aforementioned 
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algorithm in the fast scalar multiplication unit 202, 
any algorithm may be used as long as the algorithm 
outputs Xd, Zd/ Xd+i/ Zd+i from the scalar value d and the 
point P on the Weierstrass-f orm elliptic curve at high 
5 speed. 

The computational amount required for 
recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
14M+S, and this is far small as compared with the 

10 computational amount of (9.2k:-3.6)M necessary for fast 
scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 

15 computational amount necessary for the fast scalar 

multiplication of the fast scalar multiplication unit. 
Assuming that S=0.8 M, the computational amount can be 
estimated to be about (9.2k+11.2)M. For example, when 
the scalar value d indicates 160 bits {k=160) , the 

20 computational amount necessary for the scalar multipli- 
cation is 1483 M. The Weierstrass-f orm elliptic curve 
is used as the elliptic curve, the scalar multipli- 
cation method is used in which the window method and 
the mixed coordinates mainly including the Jacobian 

25 coordinates are used, and the scalar-multiplied point 
is outputted as the Jacobian coordinates. In this 
case, the required computational amount is about 1600 
M, and as compared with this, the required computa- 
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tional amount is reduced - 

In a twenty- second embodiment, the 
Weierstrass-f orm elliptic curve is used as the elliptic 
curve for input/output, and the Montgomery-form 
5 elliptic curve which can be transformed from the 
Weierstrass-f orm elliptic curve is used for the 
internal calculation- The scalar multiplication unit 
103 calculates and outputs the scalar-multiplied point 
i^d^fYd') with the complete coordinate given thereto as 

10 the point of the affine coordinates in the Weierstrass- 
form elliptic curve from the scalar value d and the 
point P on the Weierstrass-f orm elliptic curve. The 
scalar value d and the point P on the Weierstrass-f orm 
elliptic curve are inputted into the scalar multipli- 

15 cation unit 103, and received by the scalar multipli- 
cation unit 202. The fast scalar multiplication unit 
202 calculates in the coordinate of the scalar- 
multiplied point dP=(Xd,yd) represented by the affine 
coordinates in the Montgomery- form elliptic curve, x^+i 

20 in the coordinate of the point (d+l ) P== (Xd+i/ yd+i) on the 
Montgomery-form elliptic curve represented by the 
affine coordinates from the received scalar value d and 
the given point P on the Weierstrass-f orm elliptic 
curve. The information is given to the coordinate 

25 recovering unit 203 together with the inputted point 
P=(x,y) on the Montgomery-form elliptic curve 
represented by the affine coordinates. The coordinate 
recovering unit 203 recovers the coordinate of the 



:X G O ^^••S"^3 S fei M" «. O '^3 3 O OS 

264 

scalar-multiplied point dP=(x/, y/) represented by the 
affine coordinates in the Weierstrass-f orm elliptic 
curve from the given coordinate values x^j, x^+i, and 
The scalar multiplication unit 103 outputs the scalar- 
5 multiplied point (x^"^, y^"") with the coordinate completely 
given thereto on the Weierstrass-f orm elliptic curve in 
the affine coordinates as the calculation result. 

A processing of the coordinate recovering 
unit which outputs x/, y^"" from the given coordinates x, 
10 y, x^/ x^+i will next be described with reference to FIG. 
42. 

The coordinate recovering unit 2 03 inputs x^ 
in the coordinate of the scalar-multiplied point 
dP=(x^,yd) represented by the affine coordinates in the 

15 Montgomery- form elliptic curve, x^+i in the coordinate of 
the point (d+1) P= (x^+i, yd+i) on the Montgomery- form 
elliptic curve represented by the affine coordinates, 
and (x,y) as representation of the point P on the 
Montgomery- form elliptic curve in the affine coordi- 

20 nates inputted into the scalar multiplication unit 103, 
and outputs the scalar-multiplied point (x/, y/) with 
the complete coordinate given thereto in the affine 
coordinates in the following procedure. 

In step 4201 x^xx is calculated, and stored in 

25 the register T^. In step 4202 T^+l is calculated. 

Here, since x^x is stored in the register T^, x^x+l is 
calculated. The result is stored in the register Ti . 
In step 4203 x^+x is calculated, and stored in the 
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register In step 4204 T2+2A is calculated. Here, 

since x^+x is stored in the register T2, Xd+x+2A is 
calculated- The result is stored in the register T^. 
In step 4205 T^xT^ is calculated. Here since x^x+l is 
5 stored in the register and Xd+x+2A is stored in the 
register T^f (XdX+1) (Xd+x+2A) is calculated. The result 
is stored in the register T^. In step 4206 Ti-2A is 
calculated. Here, since (x^x+l) {Xd+x+2A) is stored in 
the register T^, (x^x+l) (Xd+x+2A) -2A is calculated. The 
10 result is stored in the register T^. In step 4207 x^-x 
is calculated, and stored in the register T2. In step 
4208 a square of T2 is calculated. Here, since x^-x is 
stored in the register Tj, (x^-x)^ is calculated. The 
result is stored in the register T2 . In step 4209 T2XXd+ 
15 is calculated. Here, since (x^-x)^ is stored in the 
register T2, (k^-k)^k^^^ is calculated. The result is 
stored in the register Tj . In step 4210 T^-T^ is 
calculated. Here, since (x^x+l ) (Xd+x+2A) ~2A is stored 
in the register T^ and {k^-k)^x^^^ is stored in the 
20 register T2, (x^x+l ) (x^+x+2A) -2A- (Xd-x) ^x^+i is calculated. 
The result is stored in the register T^. In step 4211 
2Bxy is calculated, and stored in the register T2 . In 
step 4212 the inverse element of T2 is calculated. 
Here, since 2By is stored in the register T2, l/2By is 
25 calculated. The result is stored in the register T2 . 
In step 4213 T1XT2 is calculated- Here, since 
(x^x+1) (Xd+x+2A) -2A- (x^-x) ^x^^i is stored in the register 
and l/2By is stored in the register T2, { (x^x+l) (x^+x^ 
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2A)~2A-{Xd-x)'Xd^i}/2By is calculated. The result is 
stored in the register . In step 4214 T^xd/s) is 
calculated. Here, since { (x^x+l) (Xd+x+2A) -2A- (x^- 
x)'x^,i}/2By is stored, { (x^x+l ) (Xd+x+2A) -2A- (x^-x) 'x^^J / 
5 2Bys is calculated. The result is stored in the 

register y^". In step 4215 x^xd/s) is calculated, and 
stored in the register T^. In step 4216 T^+a is 
calculated. Here, since x^/s is stored in the register 
Ti, (Xd/s)+a is calculated. The result is stored in the 
10 register x/. Therefore, the register x/ stores 

{Xd/s)+a. In step 4214 since { (x^x+l) (Xd+x+2A) -2A- (x^- 
X) ^Xd+i}/2Bys is stored in the register y^"", and is not 
updated thereafter, the value is held. 

A reason why the y-coordinate y^ of the 
15 scalar-multiplied point is recovered by the afore- 
mentioned procedure is as follows. The point (d4-l)P is 
obtained by adding the point P to the point (d+l)P. 
The assignment to the addition formulae in the affine 
coordinates of the Montgomery- form elliptic curve 
20 results in Equation 6. Since the points P and dP are 
points on the Montgomery- form elliptic curve, 
By/=x^VAXd^+Xd and By^=x^+Ax^+x are satisfied. When the 
value is assigned to Equation 6, By/ and By^ are 
deleted, and the equation is arranged. Equation 64 is 
25 obtained. The correspondence between the point on the 
Montgomery- form elliptic curve and the point on the 
Weierstrass-form elliptic curve is described in 
K.Okeya, H . Kurumatani , K.Sakurai, Elliptic Curves with 
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the Montgomery- form and Their Cryptographic Applica- 
tions, Public Key Cryptography, LNCS 1751 (2000) 
pp. 238-257, Thereby, when the conversion parameters 
are s, a, there are relations of y^'^^s'^y^ and x/^s'^x^+a. 
5 As a result. Equations 87, 63 are obtained. 

J^J = + -^x-^2A)^2A- (x, - x^x,^, \/(2sBy) 
. . . Equation 87 

Here, x/, y/ are given by FIG. 42. There- 
fore, all the values of the affine coordinate (x^"^, y^"") 

10 are recovered. 

For the aforementioned procedure, in the 
steps 4201, 4205, 4209, 4211, 4213, 4214, and 4215, the 
computational amount of multiplication on the finite 
field is required. Moreover, the computational amount 

15 of squaring on the finite field is required in the step 
4208. Furthermore, the computational amount of the 
inversion on the finite field is required in the step 
4212. The computational amounts of addition and 
subtraction on the finite field are relatively small as 

20 compared with the computational amounts of multipli- 
cation, squaring, and inversion on the finite field, 
and may therefore be ignored. Assuming that the 
computational amount of multiplication on the finite 
field is M, the computational amount of squaring on the 

25 finite field is S, and the computational amount of 

^ inversion on the finite field is I, the above procedure 
requires a computational amount of 7M+S+I. This is far 
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small as compared with the computational amount of the 
fast scalar multiplication. For example, when the 
scalar value d indicates 160 bits, the computational 
amount of the fast scalar multiplication is estimated 
5 to be a little less than about 1500 M. Assuming S=0.8 
M, 1=4 0 M, the computational amount of coordinate 
recovering is 47.8 M, and far small as compared with 
the computational amount of the fast scalar multipli- 
cation. Therefore, it is indicated that the coordinate 

10 can efficiently be recovered. 

Additionally, even when the above procedure 
is not taken, but if the values of the right side of 
the equation can be calculated, the value of y^"" can be 
recovered. In this case, the computational amount 

15 required for recovering generally increases. Further- 
more, when the value of A or B as the parameter of the 
elliptic curve, or s as the transform parameter to the 
Montgomery- form elliptic curve is set to be small, the 
computational amount of multiplication in the step 

20 4206, 4211, 4214, or 4215 can be reduced. 

A processing of the fast scalar multiplica- 
tion unit for outputting x^, x^+i from the scalar value d 
and the point P on the Weierstrass-f orm elliptic curve 
will next be described with reference to FIG. 45. 

25 The fast scalar multiplication unit 202 

inputs the point P on the Weierstrass-f orm elliptic 
curve inputted into the scalar multiplication unit 103, 
and outputs x^ in the scalar-multiplied point dF=(K^,y^) 
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represented by the affine coordinates in the 
Montgomery- form elliptic curve, and x^+i in the point 
(d+l) P= (Xd+i, yd+i) on the Montgomery- form elliptic curve 
represented by the affine coordinate by the following 
5 procedure. In step 4516, the given point P on the 

Weierstrass-f orm elliptic curve is transformed to the 
point represented by the projective coordinates on the 
Montgomery- form elliptic curve. This point is set anew 
to point P. In step 4501, the initial value 1 is 

10 assigned to the variable I. The doubled point 2P of 
the point P is calculated in step 4502. Here, the 
point P is represented as (x,y, 1) in the projective 
coordinates, and the formula of doubling in the projec- 
tive coordinate of the Montgomery-form elliptic curve 

15 is used to calculate the doubled point 2P. In step 

4503, the point P on the elliptic curve inputted into 
the scalar multiplication unit 103 and the point 2P 
obtained in the step 4502 are stored as a set of points 
(P,2P). Here, the points P and 2P are represented by 

20 the projective coordinate. It is judged in step 4504 
whether or not the variable I agrees with the bit 
length of the scalar value d. With agreement, the flow 
goes to step 4515. With disagreement, the flow goes to 
step 4505. The variable I is increased by 1 in the 

25 step 4505. It is judged in step 4506 whether the value 
of the I-th bit of the scalar value is 0 or 1. When 
the value of the bit is 0, the flow goes to the step 
4507. When the value of the bit is 1, the flow goes to 
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step 4510. In step 4507, addition mP+(m+l)P of points 
mP and {m+l)P is performed from the set of points 
(mP, (m+l)P) represented by the projective coordinate, 
and the point (2m+l)P is calculated. Thereafter, the 
5 flow goes to step 4508. Here, the addition mP+(m+l)P 
is calculated using the addition formula in the 
projective coordinates of the Montgomery- form elliptic 
curve. In step 4508, doubling 2 (mP) of the point mP is 
performed from the set of points (mP, (m+l)P) 
10 represented by the projective coordinate, and the point 
2mP is calculated. Thereafter, the flow goes to step 
4509. Here, the doubling 2 (mP) is calculated the 
formulae of doubling in the projective coordinates of 
the Montgomery- form elliptic curve. In step 4509, the 
15 point 2mP obtained in the step 4508 and the point 

(2m+l)P obtained in the step 4507 are stored as a set 
of points (2mP, (2m+l)P) instead of the set of points 
(mP, (m+l)P). Thereafter, the flow returns to the step 
4504. Here, the points 2mP, (2m+l)P, mP, and (m+l)P 
20 are all represented in the projective coordinates. In 
step 4510, addition mP+(m+l)P of the points mP, (m+l)P 
is performed from the set of points (mP, (m+l)P) 
represented by the projective coordinates, and the 
point (2m+l)P is calculated. Thereafter, the flow goes 
25 to step 4511. Here, the addition mP+(m+l)P is calcu- 
lated using the addition formulae in the projective 
coordinates of the Montgomery- form elliptic curve. In 
the step 4511, doubling 2((m4-l)P) of the point (m+l)P 
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is performed from the set of points (mP, (m+l)P) 
represented by the projective coordinates, and the 
point (2m+2)P is calculated. Thereafter, the flow goes 
to step 4512. Here, the doubling 2((m+l)P) is calcu- 
5 lated using the formula of doubling in the projective 
coordinates of the Montgomery- form elliptic curve. In 
the step 4512, the point (2m+l)P obtained in the step 
4510 and the point (2m4-2)P obtained in the step 4511 
are stored as a set of points ((2m-Hl)P, (2m+2)P) instead 

10 of the set of points (mP, {m+l)P). Thereafter, the flow 
returns to the step 4504. Here, the points (2m+l)P, 
(2m+2)P, mP, and (m+l)P are all represented in the 
projective coordinates. In step 4515, and as 
and from the point mP= (X^, Y^, Z^,) represented by the 

15 projective coordinates, and Xj^+i and Z^^^ as X^+i and Z^+i 
from the point (m+1 ) P= (X^^^.^, Y^^^, Z^^.^) represented by the 
projective coordinates are obtained. Here, Yj^ and Y^+i 
are not obtained, because the Y~coordinate cannot be 
obtained by the addition and doubling formulae in the 

20 projective coordinates of the Montgomery- form elliptic 
curve. With k^=X^^Z^^^ /ZdZd+i, and x^^^=Z^X^^^/Z^Z^^^, and 
Xd+i are obtained from X^, Z^, X^^^, Z^^^ . Thereafter, the 
flow goes to step 4513. In the step 4513, and x^+i 
are outputted. In the above procedure, m and scalar 

25 value d are equal in the bit length and bit pattern, 
and are therefore equal. 

The computational amount of the addition 
formula in the projective coordinates of the 
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Montgomery- form elliptic curve is 3M+2S with Zi=l . 
Here, M is the computational amount of multiplication 
on the finite field, and S is the computational amount 
of squaring on the finite field. The computational 
5 amount of the doubling formula in the projective 

coordinates of the Montgomery- form elliptic curve is 
3M+2S. When the value of the I-th bit of the scalar 
value is 0, the computational amount of addition in the 
step 4507, and the computational amount of doubling in 

10 the step 4508 are required. That is, the computational 
amount of 6M+4S is required. When the value of the I- 
th bit of the scalar value is 1, the computational 
amount of addition in the step 4510, and the computa- 
tional amount of doubling in the step 4511 are 

15 required. That is, the computational amount of 6M+4S 
is required. In any case, the computational amount of 
6M+4S is required- The number of repetitions of the 
steps 4504, 4505, 4506, 4507, 4508, 4509, or the steps 
4504, 4505, 4506, 4510, 4511, 4512 is (bit length of 

20 the scalar value d)-l. Therefore, in consideration of 
the computational amount of doubling in the step 4502, 
and the computational amount of the transform to the 
affine coordinate in the step 4515, the entire 
computational amount is ( 6M+4S) k+3M-2S-hI . Here, k is 

25 the bit length of the scalar value d. In general, 

since the computational amount S is estimated to be of 
the order of S=0 . 8 M, and the computational amount I is 
estimated to be of the order of 1-40 M, the entire 
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computational amount is approximately { 9 . 2k+41 • 4 ) M. 
For example, when the scalar value d indicates 160 bits 
{k=160), the computational amount of algorithm of the 
aforementioned procedure is about 1513 M. The computa- 
5 tional amount per bit of the scalar value d is about 
9.2 M. In A. Miyaji, T. Ono, H. Cohen, Efficient 
elliptic curve exponentiation using mixed coordinates. 
Advances in Cryptology Proceedings of ASIACRYPT' 98, 
LNCS 1514 (1998) pp. 51-65, the scalar multiplication 

10 method using the window method and mixed coordinates 
mainly including Jacobian coordinates in the 
Weierstrass-form elliptic curve is described as the 
fast scalar multiplication method- In this case, the 
computational amount per bit of the scalar value is 

15 estimated to be about 10 M. Additionally, the 

computational amount of the transform to the affine 
coordinate is required. For example, when the scalar 
value d indicates 160 bits (k-160), the computational 
amount of the scalar multiplication method is about 

20 1640 M. Therefore, the algorithm of the aforementioned 
procedure can be said to have a small computational 
amount and high speed. 

Additionally, instead of using the afore- 
mentioned algorithm in the fast scalar multiplication 

25 unit 202, another algorithm may be used as long as the 
algorithm outputs x^, x^+i from the scalar value d and 
the point P on the Weierstrass-form elliptic curve at 
high speed. 
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The computational amount required for 
recovering the coordinate of the coordinate recovering 
unit 203 in the scalar multiplication unit 103 is 
7M+S+I, and this is far small as compared with the 
5 computational amount of (9.2k+41.4)M necessary for fast 
scalar multiplication of the fast scalar multiplication 
unit 202. Therefore, the computational amount 
necessary for the scalar multiplication of the scalar 
multiplication unit 103 is substantially equal to the 

10 computational amount necessary for the fast scalar 

multiplication of the fast scalar multiplication unit. 
Assuming 1=4 0 M, S=0.8 the computational amount can 
be estimated to be about ( 9 . 2k+8 9 . 2 ) M . For example, 
when the scalar value d indicates 160 bits (k=160), the 

15 computational amount necessary for the scalar multipli- 
cation is about 1561 M, The Weierstrass-f orm elliptic 
curve is used as the elliptic curve, the scalar 
multiplication method is used in which the window 
method and the mixed coordinates mainly including the 

20 Jacobian coordinates are used, and the scalar- 
multiplied point is outputted as the affine coordi- 
nates. In this case, the required computational amount 
is about 1640 M, and as compared with this, the 
required computational amount is reduced. 

25 The encryption/decryption processor shown in 

FIG. 1 has been described as the apparatus which 
performs a decryption processing in the first to 
twenty-second embodiments, but can similarly be used as 
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the apparatus which performs an encryption processing. 
In this case, the scalar multiplication unit 103 of the 
encryption/decryption processor outputs the scalar- 
multiplied point by the point Q on the elliptic curve 
5 and the random number k, and the scalar-multiplied 
point by the public key aQ and random number k as 
described above. In this case, the scalar value d 
described in the first to twenty-second embodiments are 
used as the random number k, the point P on the 

10 elliptic curve is used as the point Q on the elliptic 
curve and the public key aQ, and the similar processing 
is performed, so that the respective scalar-multiplied 
points can be obtained. 

Additionally, the encryption/decryption 

15 processor shown in FIG- 1 can perform both the encryp- 
tion and the decryption, but may be constituted to 
perform only the encryption processing or the decryp- 
tion processing. 

Moreover, the processing described in the 

20 first to twenty-second embodiments may be a program 

stored in a computer readable storage medium. In this 
case, the program is read into the storage of FIG. 1, 
and operation units such as CPU as the processor 
performs the processing in accordance with the program. 

25 FIG. 27 is a diagram showing the example of 

the fast scalar multiplication method in which the 
complete coordinate of the scalar-multiplied point is 
given in the encryption processing using private 
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information in the encryption processing system of FIG. 
1. FIG. 33 is a flowchart showing a flow of the 
processing in the example of the scalar multiplication 
method of FIG. 27. 
5 In FIG. 33, a scalar multiplication unit 2701 

of FIG. 27 calculates and outputs the scalar-multiplied 
point with the complete coordinate given thereto on the 
Weierstrass-form elliptic curve from the scalar value 
and the point on the Weierstrass-form elliptic curve as 

10 follows. When the scalar value and the point on the 
Weierstrass-form elliptic curve are inputted into the 
scalar multiplication unit 2701, an elliptic curve 
transformer 2704 transforms the point on the 
Weierstrass-form elliptic curve to the point on the 

15 Montgomery- form elliptic curve {step 3301) . A fast 
scalar multiplication unit 2702 receives the scalar 
value inputted into the scalar multiplication unit 2701 
and the point on the Montgomery- form elliptic curve 
transformed by the elliptic curve transformer 2704 

20 (step 3302) . A fast scalar multiplication unit 2702 

calculates some values of the coordinate of the scalar- 
multiplied point on the Montgomery- form elliptic curve 
from the received scalar value and the point on the 
Montgomery- form elliptic curve (step 3303), and gives 

25 the information to a coordinate recovering unit 2703 
(step 3304) . The coordinate recovering unit 2703 
recovers the coordinate of the scalar-multiplied point 
on the Montgomery-form elliptic curve from the infor- 
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mation of the given scalar-multiplied point on the 
processing elliptic curve and the point on the 
Montgomery- form elliptic curve transformed by the 
elliptic curve transformer 2704 (step 3305) . An 
5 elliptic curve inverse transformer 2705 transforms the 
scalar-multiplied point on the Montgomery- form elliptic 
curve recovered by the coordinate recovering unit 2703 
to the scalar-multiplied point on the Weierstrass-f orm 
elliptic curve (step 3306) . The scalar multiplication 
10 unit 2701 outputs the scalar-multiplied point with the 
coordinate completely given thereto on the Weierstrass- 
form elliptic curve as the calculation result (step 
3307) . 

For the scalar multiplication on the 
15 Montgomery-form elliptic curve executed by the fast 

scalar multiplication unit 2702 and coordinate recover- 
ing unit 2703 in the scalar multiplication unit 2701, 
the scalar multiplication method on the Montgomery-form 
elliptic curve described above in the first to fifth 
20 and fourteenth to sixteenth embodiments is applied as 
it is. Therefore, the scalar multiplication is the 
scalar multiplication method in which the complete 
coordinate of the scalar-multiplied point is given at 
the high speed. 
25 FIG- 22 shows a constitution in which the 

encryption processing system of the present embodiment 
of FIG. 1 is used as a signature generation unit. The 
cryptography processor 102 of FIG. 1 is a signature 
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unit 2202 in a signature generation unit 2201 of FIG. 
22. FIG- 28 is a flowchart showing a flow of the 
processing in the signature generation unit. FIG. 29 
is a sequence diagram showing the flow of the process- 
5 ing in the signature generation unit of FIG. 22. 

In FIG- 28, the signature generation unit 
2201 outputs a message 2206 with the signature attached 
thereto from a given message 2205. The message 2205 is 
inputted into the signature generation unit 2201 and 

10 received by the signature unit 2202 (step 2801) . The 

signature unit 2202 gives a point on the elliptic curve 
to a scalar multiplication unit 2203 in accordance with 
the received message 2205 (step 2802) . The scalar 
multiplication unit 2203 receives the scalar value as 

15 private information from a private information storage 
2204 (step 2803) . The scalar multiplication unit 2203 
calculates the scalar-multiplied point from the 
received point on the elliptic curve and the scalar 
value (step 2804), and sends the scalar-multiplied 

20 point to the signature unit 2202 (step 2805) . The 
signature unit 2202 performs a signature generation 
processing based on the scalar-multiplied point 
received from the scalar multiplication unit 2203 (step 
2806) . The result is outputted as the message 2206 

25 with the signature attached thereto (step 2807) . 

The processing procedure will be described 
with reference to the sequence diagram of FIG. 29. 
First, a processing executed by a signature unit 2901 
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(2202 of FIG, 22) will be described. The signature 
unit 2901 receives the inputted message. The signature 
unit 2901 selects the point on the elliptic curve based 
on the inputted message, gives the point on the 
5 elliptic curve to a scalar multiplication unit 2902, 
and receives the scalar-multiplied point from the 
scalar multiplication unit 2902. The signature unit 

2901 uses the received scalar-multiplied point to 
perform the signature generation processing and outputs 

10 the result as the output message. 

The processing executed by the scalar 
multiplication unit 2902 (2203 of FIG. 22) will next be 
described. The scalar multiplication unit 2902 
receives the point on the elliptic curve from the 

15 signature unit 2901. The scalar multiplication unit 

2902 receives the scalar value from a private informa- 
tion storage 2903. The scalar multiplication unit 2902 
calculates the scalar-multiplied point and sends the 
scalar-multiplied point to the signature unit 2901 from 

20 the received point on the elliptic curve and scalar 
value by the fast scalar multiplication method which 
gives the complete coordinate . 

Finally, a processing executed by the private 
information storage 2903 (2204 of FIG. 22) will be 

25 described- The private information storage 2903 sends 
the scalar value to the scalar multiplication unit 2902 
so that the scalar multiplication unit 2902 can 
calculate the scalar multiplication. 



X O O fi-a-'^S iS' H" ^ 3 O O S 



280 

For the scalar multiplication executed by the 
scalar multiplication unit 2203, the method described 
in the first to twenty-second embodiments are applied 
as they are. Therefore, the scalar multiplication is a 
5 fast scalar multiplication method in which the complete 
coordinate of the scalar-multiplied point is given. 
Therefore, when the signature generation processing is 
performed in the signature unit 2202, the complete 
coordinate of the scalar-multiplied point can be used, 

10 and the calculation can be executed at the high speed . 

FIG. 23 shows a constitution in which the 
encryption processing system of the present embodiment 
of FIG. 1 is used as a decryption unit. The crypto- 
graphy processor 102 of FIG. 1 is a decryption unit 

15 2302 in a decryption apparatus 2301 of FIG. 23. FIG. 
30 is a flowchart showing a flow of the processing in 
the decryption unit. FIG. 31 is a sequence diagram 
showing the flow of the processing in the decryption 
unit of FIG. 23. 

20 In FIG- 30, the decryption unit 2301 outputs 

a decrypted message 2306 from a given message 2305. 
The message 2305 is inputted into the decryption unit 
2301 and received by the decryption unit 2302 (step 
3001) . The decryption unit 2302 gives a point on the 

25 elliptic curve to a scalar multiplication unit 2303 in 
accordance with the received message 2305 (step 3002) . 
The scalar multiplication unit 2303 receives the scalar 
value as private information from a private information 
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storage 2304 (step 3003) . The scalar multiplication 
unit 2303 calculates the scalar-multiplied point from 
the received point on the elliptic curve and the scalar 
value (step 3004) , and sends the scalar-multiplied 
5 point to the decryption unit 2302 (step 3005) . The 
decryption unit 2302 performs a decryption processing 
based on the scalar-multiplied point received from the 
scalar multiplication unit 2303 (step 3006) . The 
result is outputted as the message 2306 with, the 

10 decrypted result (step 3007). 

The processing procedure will be described 
with reference to the sequence diagram of FIG. 31. 
First, a processing executed by a decryption unit 3101 
(2302 of FIG. 23) will be described. The decryption 

15 unit 3101 receives the inputted message. The decryp- 
tion unit 3101 selects the point on the elliptic curve 
based on the inputted message, gives the point on the 
elliptic curve to a scalar multiplication unit 3102, 
and receives the scalar-multiplied point from the 

20 scalar multiplication unit 3102. The signature unit 
3101 uses the received scalar-multiplied point to 
perform the decryption processing and outputs the 
result as the output message. 

The processing executed by the scalar 

25 multiplication unit 3102 (2303 of FIG. 23) will next be 
described. The scalar multiplication unit 3102 
receives the point on the elliptic curve from the 
decryption unit 3101. The scalar multiplication unit 



3102 receives the scalar value from a private infor- 
mation storage 3103. The scalar multiplication unit 
3102 calculates the scalar-multiplied point from the 
received point on the elliptic curve and scalar value 
5 by the fast scalar multiplication method which gives 

the complete coordinate and sends the scalar-multiplied 
point to the decryption unit 3101. 

Finally, a processing executed by the private 
information storage 3103 (2304 of FIG. 23) will be 

10 described. The private information storage 3103 sends 
the scalar value to the scalar multiplication unit 3102 
so that the scalar multiplication unit 3102 can 
calculate the scalar multiplication. 

For the scalar multiplication executed by the 

15 scalar multiplication unit 2303, the method described 
in the first to twenty-second embodiments are applied 
as they are. Therefore, the scalar multiplication is a 
fast scalar multiplication method in which the complete 
coordinate of the scalar-multiplied point is given. 

20 Therefore, when the decryption processing is performed 
in the decryption unit 2302, the complete coordinate of 
the scalar-multiplied point can be used, and the 
calculation can be executed at the high speed. 

As described above,- according to the present 

25 invention, the speed of the scalar multiplication for 
use in the cryptography processing using the private 
information in the cryptography processing system is 
raised, and a fast cryptography processing can be 
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achieved. Moreover^ since the coordinate of the 
scalar-multiplied point can completely be given, all 
cryptography processing can be performed* 



